Your Complete Guide to Fuzzing

Join Cybrary

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

< Back to Blog Posts

Your Complete Guide to Fuzzing

Published: August 15, 2017 | By: Olivia | Views: 4678
save

What is fuzzing?

A black box software testing technique, fuzzing is a more refined version of trial and error, used to discover coding errors and security vulnerabilities in software. It involves imputing large amounts of random data, known as ‘fuzz,’ into the target program until one of those permutations reveals a vulnerability. If a vulnerability is found, a software tool called a fuzzer can be used to identify potential causes.

Although an older process, fuzzing is used by hackers and defenders alike. Professor Barton Miller and his students developed this powerful tool for both exploitation and defense at the University of Wisconsin Madison in 1989. It is important to recognize that fuzzing can be used by both security professionals as a means of protecting against exploits and hackers seeking vulnerabilities to exploit.

Fuzzing , which is a relatively low budget way of conducting a security audit and commonly used by even the largest organizations like Amazon and Google, has grown in popularity since its inception.

The purpose of fuzzing relies on the assumption that every program contains bugs and those bugs are just waiting to be discovered. A systematical/ random approach will help testers find them.

Why use fuzzing?

According to TechTarget, “Fuzzers work best for discovering vulnerabilities that can be exploited by buffer overflow, DOS (denial of service), cross-site scripting and SQL injection. These schemes are often used by malicious hackers intent on wreaking the greatest possible amount of havoc in the least possible time. Fuzz testing is less effective for dealing with security threats that do not cause program crashes, such as spyware, some viruses, worms, Trojans and keyloggers.”

The systematical/random approach taken with fuzzing allows users to find bugs that would have often been missed by human eyes. When the tested system is totally closed, fuzzing is one of the only means of reviewing the test’s quality.

Generally speaking, fuzzing is low budget, simple to conduct, and can reveal serious defects that would otherwise be overlooked. While it does not provide a full scope of an organization or networks security, it can be effective in Black Box testing, debugging and even beta testing.

What is an example of fuzzing?

A common approach to fuzzing is to define lists of ‘known-to-be-dangerous values’ (fuzz vectors) for each type, and to inject them or recombination’s.

  • for integers: zero, possibly negative or very big numbers
  • for chars: escaped, interpretable characters / instructions (ex: For SQL Requests, quotes / commands…)
  • for binary: random ones

Wired provides a more in-depth example, writing, “A hacker fuzzing Internet Explorer, for instance, might run Microsoft’s browser in a debugger tool, so that they can track every command the program executes in the computer’s memory. Then they’d point the browser to their own web server, one designed to run their fuzzing program. That fuzzer would create thousands or even millions of different web pages and load them in its browser target, trying variation after variation of HTML and javascript to see how the browser responds. After days or even weeks or months of those automated tests, the hacker would have logs of the thousands of times the browser crashed in response to one of the inputs.”

Why should I learn fuzzing?

Fuzzing is a fundamental skill for web app penetration testers, exploit developers, and software engineers alike. From a security standpoint, fuzzing (especially using a script) is a great way to test anything that accepts inputs for reactions due to unexpected input. From a developer standpoint, fuzzing is a great way to test your code with a bunch of inputs, so you can verify that you handle inputs correctly and nothing unexpected happens.

Essentially, it is a cost effective and simple way to gain insight into vulnerabilities, a required skill of many security positions. Take your career as a penetration tester further by learning the varying fuzzing techniques.

How can I learn fuzzing?

Professionals looking to gain a comprehensive understanding of different hacking tools and techniques such as fuzzing will greatly benefit from The Ethical Hacking Virtual Lab from Practice Labs. Not only will this lab allow you to gain hands-on skills needed as a capable ethical hacker, but it will also prepare you to confidently ace the Certified Ethical Hacker certification exam.

Obtaining your certification as an ethical hacker signifies that you possess the fundamental knowledge to protect systems using an ethical hacking methodology and framework as your line of defense.

olivia2

Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

 

 

< Back to Blog Posts
Enjoy this blog post? Want more Cybytes?
Invite a Friend
and share now
Facebook Twitter Google+ LinkedIn Email
Join Cybrary
3 Comments
  1. Olivia we love you, the whole cyber security community…

  2. Thanks, Olivia
    : )

  3. Thank you for sharing this interesting article

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel