Fuzz testing is a form of black box testing where large amounts of data in varying formats are sent to the inputs of a program. The simplest example is sending data to a Web application through a Web request.
- A URL is requested from the Web application.
- The fuzzer parses out all of the form fields used by the application.
- The fuzzer generates a new request in the form of a GET or POST to the Web application that contains the fuzz data filled into the form fields.
- The Web application's response is logged.
The fuzz data contains the data used in known attack patterns. Examples are single quotes (') for the SQL injection attack pattern, format string characters (%n%s) for the format string attack pattern, long strings (10,000 character 'A') for the buffer overflow attack pattern.
To fuzz the network input of non-Web applications, there needs to be an understanding of the protocol used. For Web applications it is the HTTP protocol, so the fuzzer needs to understand URLs and POSTs and GETs. If a mail server was being tested, the fuzzer would need to understand SMTP. If your application communicates over the network, network fuzzing is very important to perform.
You can fuzz other inputs besides network inputs. A popular input is file I/O. This is called file fuzzing. File fuzzing takes a well-formed file, modifies it to insert fuzz data, and then automates driving the program to open the modified file. This is repeated using a variety of data representing different attack patters. As with network testing it is important for the fuzzer to understand the file format so that the file can be modified in such a way that it is still a valid file for the program to open.
Other more esoteric fuzzing is Windows message fuzzing, known as a shatter attack. This is important for Windows client applications such as security agents that need to handle windows messages properly. Another more esoteric fuzzing program is to fuzz database stored procedures or ActiveX controls APIs. Anything that has an API or a input format can be fuzzed.
This was first published in April 2009