Fuzzing Web Applications and Services

download report

Transcript Fuzzing Web Applications and Services

By Skyler Onken

              Who am I?

What is Fuzzing?

Usual Targets Techniques Results Limitations Why Fuzz?

“Fuzzing the Web”?

Desired Solution Solution  Enumeration Engine  Fuzzing Engine  Client Demo Remaining Issues Future Improvements Q/A

 Skyler Onken  BYU-Idaho Student (CIT)  Contingent Staff w/ LDS Church (QA)  Penetration Tester w/ SecureGossip Initiative  Security Trainer @ BYU-Idaho Linux User Group  Security+, CEH, ECSA  http://securityreliks.securegossip.com

 OWASP Definition:  “Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” http://www.owasp.org/index.php/Fuzzing

 Wikipedia  “Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.” http://en.wikipedia.org/wiki/Fuzz_testing

 Synonyms  Robustness Testing  Syntax Testing  Negative Testing  White-Noise Testing

   File Formats Network Protocols Trust Boundary Crossing Software  Desktop Applications  Client Software  Web Applications  Web Services

  Specification-based Random data  PRNG  Bit flipping

     Crashes Memory Leaks Assertion Failures Buffer (Stack and Heap based) Overflows Parsing Errors

   Find simple bugs Black-Box Strong dependency on seed

   Another point of view of testing If its automated, why not?

Recent Fuzzing Successses:  Apple Wireless flaw DoS (MOKB-30-11-2006)  Month of Browser Bugs: ▪ IE: 25 ▪ Safari: 2 ▪ Firefox: 2 ▪ Opera: 1 ▪ Konquerer: 1

  Enumeration  Massively deep and expansive Ajax Problem   Most elements can be bound to dynamic action Results  Detecting errors is difficult beyond checking return code  Possibly use baselines?

   Rune Hammersland pioneered semi-automation  Join together enumeration and fuzzing  The AJAX problem Frameworks exist, but lack functionality  Peach  Sulley  RFuzz Some tools exist, but not automated  Spike  WSFuzz  JBroFuzz  Wfuzz

      Easily and Fully Automated Web Applications and Services Reproducible Errors Easy Reporting “Fire and Forget” AJAX

Client/Applet Enumeration engine Server Fuzzer

  Detects target type (app, soap, rest) Will generate variations of enumerated test cases:  Crawljax (applications) ▪ ▪ ▪ Implements Selenium Web Driver Programmatically define HTML tags to exercise http://my.webapp.here/func?var1=normalValue& var2=normalValue  SoapUI API (services) ▪ Enumerates the WSDL/WADL for operations/resources

Crawler Web Application SOAP Test Cases Fuzzer

  Modular  Enables intelligence Utilizes RC4   Reproducible Handles requests and results  Results: != 200  Output to file; Database pending.

Controller Web Server Fuzzing Engine Module 1 Module 2 Module 3 Bad Chars

 Java Applet

    JVM Memory Seed Captchas Automated Analysis

      Smarter Fuzzing Automated Analysis REST Dictionary Support DB http://code.google.com/p/fuzzops/