Software vulnerabilities are a significant problem in cybersecurity. They allow software products to be attacked and when those products are connected to otherwise secure networks, they can provide an entry point for hackers.
All professional software products are thoroughly tested prior to release. Unfortunately, vulnerabilities are still a common occurrence. One way to find additional vulnerabilities is to use a software testing technique known as fuzzing.
So what is fuzzing and how does it work?
What Is Fuzzing?
Fuzzing is an automated software testing technique that attempts to find vulnerabilities using random inputs.
Software often behaves unpredictably when the user enters an input other than what was requested. Fuzzing is the practice of entering large amounts of unexpected inputs and recording what happens. The idea is that the user can then monitor the software and determine whether or not any vulnerabilities are present.
Fuzzing is used to test software products and by security professionals to determine if a network is secure. It is also used by hackers who practice fuzzing to find vulnerabilities which they themselves can use.
The vulnerabilities discovered by fuzzing vary widely. An unexpected input may cause the software to simply crash. But it may also return private information or allow the user to access parts of the software that would otherwise be off limits.
What Are the Advantages of Fuzzing?
Fuzzing is just one of many ways that software products can be tested for vulnerabilities. It’s popular because:
- Fuzzing is entirely automated. Once a fuzzing program is set up, it can continue to look for vulnerabilities without human input.
- Fuzzing may find vulnerabilities that other software testing techniques do not. Because of this, it is often used in addition to manual techniques.
- Fuzzing is often used by hackers to find zero-day vulnerabilities. Using the same techniques as hackers allows developers to find zero-day vulnerabilities before they do.
How Does Fuzzing Work?
A tool used for fuzzing typically has three components. They are often referred to as a poet, a courier and, an oracle.
The poet starts the process and is responsible for generating a test case. A test case is a long list of potential inputs.
The courier inserts all the random inputs into the targeted software. Fuzzers are designed to do this automatically, allowing large amounts of inputs to be tested in bulk.
The oracle checks whether any of the inputs cause the software to do something other than it was designed to do. If fuzzing is being carried out for legitimate purposes, the behavior can then be replicated and fixed. Or if fuzzing is being carried out by a hacker, and the unexpected behavior is useful, it may be used for malicious purposes.
How Do Attackers Use Fuzzing?
Fuzzing is a popular technique among hackers because it allows them to find vulnerabilities in software without access to the source code. Because fuzzing is automated, it’s also easy to perform. If a hacker discovers a vulnerability, they may be able to perform the following attacks.
If fuzzing discovers that certain inputs require a long time to process, this information can be used to launch a DDoS attack. A DDoS attack involves sending so many requests to a system that it stops functioning. Fuzzing allows requests to be tailored so that they require the most system resources to respond to.
An SQL injection attack is when malicious SQL statements are sent to an application. If these statements are not properly sanitized, they can allow an attacker to interact with the database. This may allow them to steal data or modify it. Fuzzing is an effective tool for attempting large amounts of SQL statements and determining if any produce a favorable response.
A buffer overflow attack is when more data is added to a program’s buffer than it can handle. In this scenario, it’s possible for a hacker to cause that program to execute malicious code. This can be used to steal data or to gain unauthorized access. Fuzzing is used to find inputs which can cause a buffer overflow to occur.
Types of Fuzzing
Fuzzing tools can be classified based on both how test cases are generated and how much is known about the system.
Dumb vs. Smart
Dumb fuzzing simply adds large amounts of random inputs. It doesn’t choose inputs which are most likely to be accepted by the application. This makes it easier to implement without knowing anything about the software; however, it is also highly inefficient as most inputs will be rejected.
Smart fuzzing generates inputs that the application is likely to accept. It requires that the user understands what input format is acceptable and then generates large amounts of inputs within that format. Smart fuzzing requires more effort and product knowledge to implement, but it is significantly more efficient.
Mutational vs. Generational
Mutational fuzzers take an input that was previously accepted and make minor changes to it. This allows inputs to be generated that are likely to be accepted without knowledge of the accepted format.
Generational fuzzers create entirely new inputs based on what’s known about the accepted format.
White Box vs. Black Box
Black box fuzzing is used without any information about the application being tested. It is less effective than white box fuzzing but can be applied to any application without access to the source code. This makes it popular among hackers.
White box fuzzing uses information about the application being tested to create inputs that are most likely to be accepted and produce vulnerabilities. It is primarily used by software developers because it is more effective than black box fuzzing.
Fuzzing is a powerful software testing method that’s used by software developers, security professionals, and hackers. It requires minimal effort to implement and is capable of finding vulnerabilities that other software testing techniques do not.
It is particularly important from a security standpoint because it is often used to discover zero-day vulnerabilities. These vulnerabilities can either be discovered and fixed by security professionals, or discovered and exploited by hackers.