Organizations are increasingly adopting security practices to ensure the quality and robustness of their applications. One of the challenges that remain unanswered is finding unknown or zero-day vulnerabilities. Today, most tools focus on finding vulnerabilities through known attack patterns or querying vulnerability databases. In September 2021, ForAllSecure hosted a webinar on the fundamentals of fuzz testing.
Alexander Brewer, ForAllSecure Solutions Engineer, helps organizations discover how to uncover critical unknown vulnerabilities in code with a technique known as fuzz testing. Below are the top three takeaways from The Fuzzing Fundamentals with Mayhem webinar.
What is the Fuzz test?
The Fuzz test is a dynamic application security testing (DAST) technique for negative tests. It works by sending malformed input to applications with the aim of triggering bad behavior, such as crashes, endless loops, and / or memory leaks. These abnormal behaviors are often indicative of an underlying software vulnerability that was previously unknown.
According to the researchers, the most effective technique for uncovering some of the most infamous vulnerabilities such as Heartbleed is a solid series of negative tests (i.e. fuzz tests).
Finding vulnerabilities in software is like exploring a maze
âIn computer science, code often represents programs as ordered trees. Crossing the paths of each tree could be thought of as crossing the paths of the maze, where some entrances lead to correct behavior, some entrances do not go anywhere, and some entrances lead to bad behavior. These entries can be thought of as directions in the maze, and when the program runs, it begins to follow the directions of the maze, âsays Brewer.
However, the biggest challenge is to explore the labyrinth effectively. This is where the notion of minimum set comes into play. The minimum set is valuable because it is the minimum set of entries needed to cover each behavior exhibited by the program. This capability is essential for effective and efficient analysis, a desirable characteristic as organizations move towards CI / CD.
The fuzz tests are happening all around us
Believe it or not, fuzz testing happens all the time.
- This can happen unintentionally, for example when a user mistakenly tries to use a program in a way that was not intended to be used – these are robustness or security issues.
- This can happen maliciously, in the event that a bad actor intentionally sends a malformed input that they know will cause the program to fail or crash in some way – this is a security issue.
Fuzz testing allows testers to answer the following question before attackers have a chance: If opponents were trying to break your system, how would they do it? What could they possibly find? What would they exploit?
Interested in watching the full session? Fuzzing Fundamentals training is available every two months. Keep an eye on our Event page here for the next session.
*** This is a syndicated Security Bloggers Network blog based on the latest blog posts written by Tamulyn Takakura. Read the original post at: https://forallsecure.com/blog/the-fundamentals-of-fuzz-testing