fully automated fuzzing of web applications and services
DESCRIPTION
Fully Automated Fuzzing of Web Applications and Services. By Skyler Onken. Table of Contents. Who am I? What is Fuzzing? Usual Targets Techniques Results Limitations Why Fuzz? “Fuzzing the Web”? Desired Solution Solution Enumeration Engine Fuzzing Engine Client Demo - PowerPoint PPT PresentationTRANSCRIPT
Fully Automated Fuzzing of Web Applications and Services
By Skyler Onken
Table of Contents Who am I? What is Fuzzing? Usual Targets Techniques Results Limitations Why Fuzz? “Fuzzing the Web”? Desired Solution Solution
Enumeration Engine Fuzzing Engine Client
Demo Remaining Issues Future Improvements Q/A
Who am I?
Skyler Onken BYU-Idaho Student (CIT) Contingent Staff w/ LDS Church (QA) Penetration Tester w/ SecureGossip
Initiative Security Trainer @ BYU-Idaho Linux User
Group Security+, CEH, ECSA http://securityreliks.securegossip.com
What is Fuzzing?
OWASP Definition: “Fuzz testing or Fuzzing is a Black Box
software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” http://www.owasp.org/index.php/Fuzzing
What is Fuzzing?
Wikipedia “Fuzz testing or fuzzing is a software
testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.”
http://en.wikipedia.org/wiki/Fuzz_testing
What is Fuzzing?
Synonyms Robustness Testing Syntax Testing Negative Testing White-Noise Testing
Usual Targets
File Formats Network Protocols Trust Boundary Crossing Software
Desktop Applications Client Software Web Applications Web Services
Techniques
Specification-based Random data
PRNG Bit flipping
Results
Crashes Memory Leaks Assertion Failures Buffer (Stack and Heap based)
Overflows Parsing Errors
Limitations
Find simple bugs Black-Box Strong dependency on seed
Why Fuzz?
Another point of view of testing If its automated, why not? Recent Fuzzing Successses:
Apple Wireless flaw DoS (MOKB-30-11-2006) Month of Browser Bugs:▪ IE: 25▪ Safari: 2▪ Firefox: 2▪ Opera: 1▪ Konquerer: 1
“Fuzzing the Web”?
Enumeration Massively deep and expansive
Ajax Problem Most elements can be bound to dynamic
action Results
Detecting errors is difficult beyond checking return code
Possibly use baselines?
“Fuzzing the Web”? Rune Hammersland pioneered semi-automation
Join together enumeration and fuzzing The AJAX problem
Frameworks exist, but lack functionality Peach Sulley RFuzz
Some tools exist, but not automated Spike WSFuzz JBroFuzz Wfuzz
Desired Solution
Easily and Fully Automated Web Applications and Services Reproducible Errors Easy Reporting “Fire and Forget” AJAX
Solution
Client/Applet Enumeration engine Fuzzer
Server
Enumeration Engine
Detects target type (app, soap, rest) Will generate variations of
enumerated test cases: Crawljax (applications)▪ Implements Selenium Web Driver▪ Programmatically define HTML tags to exercise▪ http://my.webapp.here/func?var1=normalValue& var2=normalValue
SoapUI API (services)▪ Enumerates the WSDL/WADL for
operations/resources
Enumeration Engine
Web Application
Fuzzer
Crawler
SOAP
Test Case
s
Fuzzing Engine
Modular Enables intelligence
Utilizes RC4 Reproducible
Handles requests and results Results: != 200 Output to file; Database pending.
Fuzzing Engine
Fuzzing Engine
Controller
Module 3
Module 2
Module 1
Bad Chars
Web Server
Client
Java Applet
Client
DEMO
Remaining Issues
JVM Memory Seed Captchas Automated Analysis
Future Improvements
Smarter Fuzzing Automated Analysis REST Dictionary Support DB http://code.google.com/p/fuzzops/
Any Questions?