Fuzzing Web Applications and Services

Report
By Skyler Onken










Who am I?
What is Fuzzing?
Usual Targets
Techniques
Results
Limitations
Why Fuzz?
“Fuzzing the Web”?
Desired Solution
Solution
 Enumeration Engine
 Fuzzing Engine
 Client




Demo
Remaining Issues
Future Improvements
Q/A

Skyler Onken
 BYU-Idaho Student (CIT)
 Contingent Staff w/ LDS Church (QA)
 Penetration Tester w/ SecureGossip Initiative
 Security Trainer @ BYU-Idaho Linux User Group
 Security+, CEH, ECSA
 http://securityreliks.securegossip.com

OWASP Definition:
 “Fuzz testing or Fuzzing is a Black Box software
testing technique, which basically consists in
finding implementation bugs using
malformed/semi-malformed data injection in an
automated fashion.”
http://www.owasp.org/index.php/Fuzzing

Wikipedia
 “Fuzz testing or fuzzing is a software
testing technique that provides invalid,
unexpected, or random data to the inputs of
a program. If the program fails (for example,
by crashing or failing built-in code assertions), the
defects can be noted.”
http://en.wikipedia.org/wiki/Fuzz_testing

Synonyms
 Robustness Testing
 Syntax Testing
 Negative Testing
 White-Noise Testing



File Formats
Network Protocols
Trust Boundary Crossing Software
 Desktop Applications
 Client Software
 Web Applications
 Web Services


Specification-based
Random data
 PRNG
 Bit flipping





Crashes
Memory Leaks
Assertion Failures
Buffer (Stack and Heap based) Overflows
Parsing Errors



Find simple bugs
Black-Box
Strong dependency on seed



Another point of view of testing
If its automated, why not?
Recent Fuzzing Successses:
 Apple Wireless flaw DoS (MOKB-30-11-2006)
 Month of Browser Bugs:
▪ IE: 25
▪ Safari: 2
▪ Firefox: 2
▪ Opera: 1
▪ Konquerer: 1

Enumeration
 Massively deep and expansive

Ajax Problem
 Most elements can be bound to dynamic action

Results
 Detecting errors is difficult beyond checking
return code
 Possibly use baselines?

Rune Hammersland pioneered semi-automation
 Join together enumeration and fuzzing
 The AJAX problem

Frameworks exist, but lack functionality
 Peach
 Sulley
 RFuzz

Some tools exist, but not automated




Spike
WSFuzz
JBroFuzz
Wfuzz






Easily and Fully Automated
Web Applications and Services
Reproducible Errors
Easy Reporting
“Fire and Forget”
AJAX
Server
Client/Applet
Enumeration
engine
Fuzzer


Detects target type (app, soap, rest)
Will generate variations of enumerated test
cases:
 Crawljax (applications)
▪ Implements Selenium Web Driver
▪ Programmatically define HTML tags to exercise
▪ http://my.webapp.here/func?var1=normalValue& var2=normalValue
 SoapUI API (services)
▪ Enumerates the WSDL/WADL for operations/resources
Crawler
Web Application
Test
Cases
SOAP
Fuzzer

Modular
 Enables intelligence

Utilizes RC4
 Reproducible

Handles requests and results
 Results: != 200
 Output to file; Database pending.
Fuzzing Engine
Module 1
Controller
Module 2
Module 3
Web Server
Bad
Chars

Java Applet




JVM Memory
Seed
Captchas
Automated Analysis






Smarter Fuzzing
Automated Analysis
REST
Dictionary Support
DB
http://code.google.com/p/fuzzops/

similar documents