Transcript Fuzzing Web Applications and Services
By Skyler Onken
Who am I?
What is Fuzzing?
Usual Targets Techniques Results Limitations Why Fuzz?
“Fuzzing the Web”?
Desired Solution Solution Enumeration Engine Fuzzing Engine Client Demo Remaining Issues Future Improvements Q/A
Skyler Onken BYU-Idaho Student (CIT) Contingent Staff w/ LDS Church (QA) Penetration Tester w/ SecureGossip Initiative Security Trainer @ BYU-Idaho Linux User Group Security+, CEH, ECSA http://securityreliks.securegossip.com
OWASP Definition: “Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” http://www.owasp.org/index.php/Fuzzing
Wikipedia “Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.” http://en.wikipedia.org/wiki/Fuzz_testing
Synonyms Robustness Testing Syntax Testing Negative Testing White-Noise Testing
File Formats Network Protocols Trust Boundary Crossing Software Desktop Applications Client Software Web Applications Web Services
Specification-based Random data PRNG Bit flipping
Crashes Memory Leaks Assertion Failures Buffer (Stack and Heap based) Overflows Parsing Errors
Find simple bugs Black-Box Strong dependency on seed
Another point of view of testing If its automated, why not?
Recent Fuzzing Successses: Apple Wireless flaw DoS (MOKB-30-11-2006) Month of Browser Bugs: ▪ IE: 25 ▪ Safari: 2 ▪ Firefox: 2 ▪ Opera: 1 ▪ Konquerer: 1
Enumeration Massively deep and expansive Ajax Problem Most elements can be bound to dynamic action Results Detecting errors is difficult beyond checking return code Possibly use baselines?
Rune Hammersland pioneered semi-automation Join together enumeration and fuzzing The AJAX problem Frameworks exist, but lack functionality Peach Sulley RFuzz Some tools exist, but not automated Spike WSFuzz JBroFuzz Wfuzz
Easily and Fully Automated Web Applications and Services Reproducible Errors Easy Reporting “Fire and Forget” AJAX
Client/Applet Enumeration engine Server Fuzzer
Detects target type (app, soap, rest) Will generate variations of enumerated test cases: Crawljax (applications) ▪ ▪ ▪ Implements Selenium Web Driver Programmatically define HTML tags to exercise http://my.webapp.here/func?var1=normalValue& var2=normalValue SoapUI API (services) ▪ Enumerates the WSDL/WADL for operations/resources
Crawler Web Application SOAP Test Cases Fuzzer
Modular Enables intelligence Utilizes RC4 Reproducible Handles requests and results Results: != 200 Output to file; Database pending.
Controller Web Server Fuzzing Engine Module 1 Module 2 Module 3 Bad Chars
Java Applet
JVM Memory Seed Captchas Automated Analysis
Smarter Fuzzing Automated Analysis REST Dictionary Support DB http://code.google.com/p/fuzzops/