Home > Ask the Software Quality Experts > Application Security Questions & Answers > What is fuzz testing? What are some ways to use fuzz testing?
Ask The Software Quality Expert: Questions & Answers
EMAIL THIS

What is fuzz testing? What are some ways to use fuzz testing?

Chris Wysopal EXPERT RESPONSE FROM: Chris Wysopal

Pose a Question
Other Software Quality Categories
Meet all Software Quality Experts
Become an Expert for this site


Software quality news and advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


>
QUESTION POSED ON: 07 April 2009
Could you describe some ways to use fuzz testing?


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED CONTENT
Application Security
Beating software's cross-site scripting, authentication problems
Expert resolves issues plaguing OpenSTA users
How do I convince management to take application security seriously?
How do I set up a secure login page using membership in ASP.NET?
Security testing sales, marketing websites
Are there application security certification standards?
Top tools for testing Web application security
How to prevent HTTP response splitting
PCI DSS compliance: WAF, code review or both?
Application security careers have bright future

Software security testing and techniques
Web server weaknesses you don't want to overlook
Using firewalls for software testing: Pros and cons
Beating software's cross-site scripting, authentication problems
Free Web proxy security tools software testers should get to know
How to get management on board with Web 2.0 security issues
Web application security best practices: Tips on implementation
Testing strategies for complex environments
How to make your software tamperproof
Ways to approach application performance testing on a tight budget
How can I tell if my software security has been breached?

Software security testing tools
Beating software's cross-site scripting, authentication problems
Free tools for Agile testers
Put a stop to software espionage by watermarking source code
How to make your software tamperproof
How can I tell if my software security has been breached?
Lesser-known free software testing tools testers should try
Demo: Using WebGoat, a free software testing tool
Rich Internet applications security testing checklist
Finding cross-site scripting (XSS) application flaws checklist
Webgoat Tutorial

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
penetration testing  (SearchSoftwareQuality.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


Fuzz testing is a form of black box testing where large amounts of data in varying formats are sent to the inputs of a program. The simplest example is sending data to a Web application through a Web request.

  1. A URL is requested from the Web application.
  2. The fuzzer parses out all of the form fields used by the application.
  3. The fuzzer generates a new request in the form of a GET or POST to the Web application that contains the fuzz data filled into the form fields.
  4. The Web application's response is logged.

The fuzz data contains the data used in known attack patterns. Examples are single quotes (') for the SQL injection attack pattern, format string characters (%n%s) for the format string attack pattern, long strings (10,000 character 'A') for the buffer overflow attack pattern.

To fuzz the network input of non-Web applications, there needs to be an understanding of the protocol used. For Web applications it is the HTTP protocol, so the fuzzer needs to understand URLs and POSTs and GETs. If a mail server was being tested, the fuzzer would need to understand SMTP. If your application communicates over the network, network fuzzing is very important to perform.

You can fuzz other inputs besides network inputs. A popular input is file I/O. This is called file fuzzing. File fuzzing takes a well-formed file, modifies it to insert fuzz data, and then automates driving the program to open the modified file. This is repeated using a variety of data representing different attack patters. As with network testing it is important for the fuzzer to understand the file format so that the file can be modified in such a way that it is still a valid file for the program to open.

Other more esoteric fuzzing is Windows message fuzzing, known as a shatter attack. This is important for Windows client applications such as security agents that need to handle windows messages properly. Another more esoteric fuzzing program is to fuzz database stored procedures or ActiveX controls APIs. Anything that has an API or a input format can be fuzzed.



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Software Quality - Software Maintenance, Software Requirements, Software Standards
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2006 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts