What is Fuzzing?
Fuzzing is the art of automatic bug detection. The goal of fuzzing is to stress the application and cause unexpected behavior, resource leaks, or crashes.
The process involves throwing invalid, unexpected, or random data as inputs at a computer. Fuzzers repeat this process and monitor the environment until they detect a vulnerability.
Threat actors use fuzzing to find zero-day exploits – this is known as a fuzzing attack. Security professionals, on the other hand, leverage fuzzing techniques to assess the security and stability of applications.
Why are the World’s Biggest Companies Implementing Fuzz Testing?
Some of the world’s biggest and most respected organizations are implementing fuzzing as part of their quality control and cybersecurity operations:
- Google uses fuzzing to check and protect millions of lines of code in Chrome. In 2019, Google discovered more than 20,000 vulnerabilities in Chrome via internal fuzz testing.
- Microsoft uses fuzzing as one of the stages in its software development lifecycle, to find vulnerabilities and improve the stability of its products.
- The US Department of Defence (DoD) issued a DevSecOps Reference Design and a
Application Security Guide which both requires fuzz testing as a standard part of software development processes.
These and many other organizations are adopting fuzzing into their standard development processes for several reasons:
- Fuzzing does not just identify the problem, it also shows the cause of the problem and how an attacker may interact with it in a real-life attack.
- Fuzzing proves a vulnerability exists, identifying problems without having to sift through false positives.
- Fuzzing is fully automated, and can run independently for days or even weeks, identifying more and more vulnerabilities in a system under test.
- Fuzzing is highly useful for developers. The role of developers is to develop and improve product features. While traditional security tools only point out flaws, fuzzers show the result of the flaw and demonstrate the impact of solving it.
Types of Fuzzing Tools
Fuzzing tools can be grouped into four basic types.
Grammar-Based F vs. Mutuation Fuzzing
Grammer-based or mutation fuzzers are defined by the way they handle test case generation. Some fuzzers combine both approaches.
Grammar-based fuzzers generate new test cases from a supplied model. The tester defines a “grammar”, specifying the format of inputs accepted by the application, and can define which parts of the input should be fuzzed. The fuzzer uses this model to generate a large number of inputs, which are similar to legitimate inputs, but violate some of the application’s constraints.
Mutation fuzzers randomly mutate a supplied seed input object. They are not constrained by a specific model, and “go crazy” by generating large numbers of unusual inputs. This can be very successful at identifying new bugs or execution paths that may have not been specified by the user in a grammar-based fuzzer.
Black-Box vs. White-Box Fuzzing
Fuzzers can also be grouped into either black-box or white-box approaches.
Black-box fuzzers don’t have access to program artifacts and are more commonly used by cybersecurity researchers looking for vulnerabilities in commercial products. Black-box fuzzing randomly mutates program inputs and sees how the program reacts to it. It can be highly effective in finding new bugs and security issues.
White-box fuzzers by definition require access to program source code. They are commonly used by red teams working for organizations responsible for systems or by software testing groups.
White-box fuzzing involves sweeping the program and identifying conditional branches and constraints on inputs. The fuzzer then systematically violates each of the constraints and evaluates the response.
This is a very comprehensive comprehensive process that, in theory, can access all possible execution paths of the program. It can usually discover more bugs than a black-box approach, but is lacking in that it does not test the software from an external, attacker perspective.
How Does Application Fuzzing Work?
As we established above, fuzzing software is a great tool capable of finding zero-day vulnerabilities, but how does a fuzzer work?
1. Generating Test Cases
First, test cases are generated. Each security test case can be generated as a random, or semi-random data set, and then sent as input to the application.
The data set can be either generated in conformance to the format requirements of the system’s input, or as a completely malformed chunk of data the system was not meant to understand or process.
What do you think would happen to an application if negative numbers, null characters, or even special characters, were sent to some input fields? Do you know how your application would behave?
2. Interfacing with the Target to Deliver the Input
While fuzz testing, a fuzzer can interface with an application, a protocol, or a file format. While doing that, a fuzzer sends test cases to the target over the network or via a command-line argument of a running application.
Imaginative use cases can reveal ways to expose a relevant piece of code with the right specific data.
3. Monitoring the System to Detect Crashes
The success of a fuzz test is measured by the ability to confirm the impact that a fuzzer has on the targeted application.
NeuraLegion’s NexPloit: Fuzz Testing for Application Security
NexPloit is the world’s first AI-Powered Application Security Fuzz-testing tool.
NeuraLegion’s NexPloit offers the combination of the world’s leading DAST solution and a self-evolving, adaptive-learning fuzzer solution. NexPloit applies evolution strategies and reinforcement learning to extensively analyze the response of the application and the context of a given attack surface breaking the assumed scope of the target. NexPloit reports vulnerabilities that are invisible to other, unintelligent fuzz testing tools.
NexPloit combines different technologies to raise efficiency and performance as the most comprehensive, reliable, and accurate solution. NexPloit comes with zero false-positives.