What is Fuzzing?
Fuzzing, or fuzz testing, is a software testing technique that provides invalid, unexpected, or random data as input to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers test programs that take structured inputs, such as files, network packets, or database queries.
Fuzzing is a powerful tool for finding software vulnerabilities, especially security vulnerabilities. By feeding a program invalid inputs, fuzzers can expose bugs that attackers could exploit. For example, a fuzzer might find a buffer overflow vulnerability in a web application, which could allow an attacker to execute arbitrary code on the server.
History of creation Fuzzing
Fuzzing was first developed in the late 1980s by Professor Barton Miller and his students at the University of Wisconsin-Madison. Miller was inspired by his experience while trying to access a remote Unix system using a dial-up network link during a thunderstorm. The interference on the line caused the program to crash, and Miller realized that this type of unexpected input could be used to test the reliability of the software.
Types of Fuzzing
There are two main types of fuzzing:
- Coverage-guided fuzzing: This type uses code coverage analysis to guide the generation of new test inputs. The goal is to maximize the amount of code exercised by the fuzzer, to increase the chances of finding bugs.
- Behavioral fuzzing: This type monitors the program’s behavior under test and generates new inputs based on the program’s responses. The goal is to find inputs that cause the program to behave unexpectedly, such as crashing or leaking sensitive data.
Examples of Fuzzing
Here are some examples of how fuzzing is used in practice:
- A security researcher might use fuzzing to find vulnerabilities in a web application that could be exploited to steal user data or take over the website.
- A software developer might use fuzzing to test a new operating system for stability and security vulnerabilities before releasing it to the public.
- A network engineer might use fuzzing to test a new firewall for vulnerabilities that could allow attackers to bypass it.
Fuzzing Tools
ZAP (Zed Attack Proxy)
ZAP (Zed Attack Proxy) – it is an open-source tool is developed by OWASP. ZAP can test various web applications, including modern web technologies such as JavaScript, AJAX, and HTML5
ZAP can be used for fuzzing in a few different ways. One way is to use the “Brute Force Scanner” to generate random inputs for the web application. The “Brute Force Scanner” can be used to generate different types of inputs, such as HTTP requests, parameters, and cookies.
Another way to use ZAP for fuzzing is to use the “Fuzzer” plugin. The “Fuzzer” plugin can be used to generate more sophisticated inputs than the “Brute Force Scanner”. For example, the “Fuzzer” plugin can be used to generate inputs that are based on the structure of the web application.
Google OSS-Fuzz
Google OSS-Fuzz is a free continuous fuzzing service for open source software. It uses a variety of fuzzing engines, including AFL, libFuzzer, and Honggfuzz, to find security vulnerabilities and bugs in open source projects.
OSS-Fuzz is easy to use. To integrate your project into OSS-Fuzz, you must create a pull request with a few configuration changes. Once your pull request is merged, your project will be automatically fuzzed by OSS-Fuzz.
OSS-Fuzz has been very successful in finding vulnerabilities in open-source software. Since its launch in 2016, OSS-Fuzz has helped to identify and fix over 10,000 vulnerabilities and 36,000 bugs across 1,000 projects.