There are several methodologies you can use to find vulnerabilities in your applications, each method coming with its own pros and cons. In this post we discuss fuzzing – a method capable of finding both known and previously unknown, zero-day vulnerabilities.
What is Fuzzing?
Fuzzing is the art of automatic bug detection involving invalid, unexpected, or random data as inputs to a computer. The goal of fuzzing is to stress the application and cause unexpected behavior, resource leaks, or crashes. This makes a fuzzer a great asset in assessing the security and stability of applications.
Why should you be fuzzing your Applications?
Over the last few years we have witnessed a dramatic increase in high profile cyber-attacks. Many of those attacks resulted in substantial reputational losses, as well as record fines. According to the “Cost of a Data Breach” report, the average cost of a data breach in 2019 was $150 per record. Do the math based on the number of records that could be stolen, or exposed.
The increase in high profile cyber-attacks highlights that not enough is being done and/or current cybersecurity methods are no longer effective.
While tools like SAST and DAST are great for detecting known vulnerabilities in code or applications, a fuzzer can go beyond and detect unknown vulnerabilities. This ability to detect unknown vulnerabilities is what makes a fuzzer an indispensable tool in application security testing.
Fuzz tests are a great way to ensure the quality of the application’s runtime behavior in unassumed scenarios.
How does Fuzzing work?
As we established above, a fuzzer is a great tool capable of finding zero-day vulnerabilities, but how does a fuzzer work?
Generating test cases
First, test cases are generated. Each security test case can be generated as a random, or semi-random data set, and then sent as input to the application.
The data set can be either generated in conformance to the format requirements of the system’s input, or as a completely malformed chunk of data the system was not meant to understand or process.
What do you think would happen to an application if negative numbers, null characters, or even special characters, were sent to some input fields? Do you know how your application would behave?
Interfacing with the target to deliver the input
While fuzz testing, a fuzzer can interface with an application, a protocol, or a file format. While doing that, a fuzzer sends test cases to the target over the network or via a command-line argument of a running application.
Imaginative use cases can reveal ways to expose a relevant piece of code with the right specific data.
Monitoring the system to detect crashes
The success of a fuzz test is measured by the ability to confirm the impact that a fuzzer has on the targeted application.
Which fuzzing tool should you choose?
Fuzzers can be grouped into six types along three different dimensions.
Mutation or generation fuzzing
Mutation or generation fuzzers are defined by the way they handle test case generation.
Generation fuzzers generate new test cases from a supplied model, while mutation fuzzers mutate a supplied seed input object. There are fuzzers that can do both.
Intelligent or dumb fuzzing
While initially defined to indicate knowledge of and adherence to specific input formats, the terms intelligent or dumb today relate more to the way that specific fuzzers mutate or generate input.
Black-box or White-box fuzzing
Fuzzers can also be grouped into either black-box or white-box approaches.
Black-box fuzzers don’t have access to program artifacts and are more commonly used by cybersecurity researchers looking for vulnerabilities in commercial products.
White-box fuzzers by definition require access to all program artifacts. They are commonly used by red teams working for organizations responsible for systems or by software testing groups.
In the future post we are going to do a deep-dive into different types of fuzzers. Subscribe to our Newsletter so you don’t miss it.
NexPloit is the world’s first AI-Powered Application Security Fuzz-testing tool.
NeuraLegion’s NexPloit offers the combination of the world’s leading DAST solution and a self-evolving, adaptive-learning fuzzer solution. NexPloit applies evolution strategies and reinforcement learning to extensively analyze the response of the application and the context of a given attack surface breaking the assumed scope of the target. NexPloit reports vulnerabilities that are invisible to other, unintelligent fuzz testing tools.
NexPloit combines different technologies to raise efficiency and performance as the most comprehensive, reliable, and accurate solution. NexPloit comes with zero false-positives.
To see NexPloit in action, request a free demo.