Q

Using fuzzer tools to find vulnerabilities

Fuzzers are excellent tools for finding vulnerabilities in your software. They can be used legitimately by a developer or maliciously by a hacker. Expert Brad Arkin explains how to use fuzzers in order to enhance security.

What are "fuzzing" tools and what do they do? If hackers are using them, can they be used for security?

A fuzzing tool or fuzzer is a software test tool used to probe for security vulnerabilities. Fuzzers generate and submit a large number of inputs to the test target with the goal of identifying inputs that produce malicious or interesting results. For example, a fuzzer testing the login screen for a Web application would submit hundreds or even thousands of login attempts with a variety of potentially malicious input strings including...

cross-site scripting (XSS), SQL injection, and very long inputs.

The fuzzer records the response of the application to each input for the tester (or attacker) to review later. A fuzzing tool is one of the first steps in the test process and is followed up by further manual testing guided by the output of the fuzzer.

 Software security tools:
Fuzzing: Brute Force Vulnerability Discovery -- Chapter 12, Fuzzing Frameworks

Web application security testing reaches new level

Want secure software? Think like an attacker

Fuzzers are a great tool to use when trying to discover security vulnerabilities. This makes them valuable to attackers as well as software developers and legitimate testers. A good security test plan will specify when and how fuzzers and other automated security test tools should be employed.

Fuzzers can help find and fix security bugs during the development and test phase when it is much cheaper to do so. This is much better than waiting for an attacker to find the security vulnerabilities after the software is released to production.

This was first published in July 2006

Dig deeper on Building security into the SDLC (Software development life cycle)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close