What is Fuzz Testing?(收藏)
Fuzz testing or Fuzzing is a software testing technique, often used to discover security weaknesses in applications and protocols. The basic idea is to attach the inputs of a program to a source of random or unexpected data. If the program fails (for example, by crashing, or by failing in-built code assertions), then there are defects to correct. It should be noted that the majority of security vulnerabilities, from buffer overflows to cross-site scripting attacks, are generally the result of insufficient validation of user-supplied input data. Bugs found using fuzz testing are frequently severe, exploitable bugs that could be used by a real attacker. This has become even more true as fuzz testing has become more widely known, as the same techniques and tools are now used by attackers to exploit deployed software. This is a major advantage over binary or source auditing, or even fuzzing’s close cousin, fault injection, which often rely on artificial fault conditions that are difficult or impossible to exploit.
Fuzzing Tools
The
following tools and testing frameworks are used by professional
penetration testers when performing a blackbox assessment of a network,
server or application. If you would like to learn more about the
black-box assessment methodology or to find out how to use fuzz-testing
techniques for your application, please contact a Hacksafe senior
consultant.
1. Fuzzer API’s and Frameworks
SPIKE - SPIKE
is an attempt to write an easy to use generic protocol API that helps
reverse engineer new and unknown network protocols. It features several
working examples. Includes a web server NTLM Authentication brute forcer
and example code that parses web applications and DCE-RPC (MSRPC).
Scratch
- Scratch is an advanced protocol destroyer (”fuzzer”) which can
routinely find a wide variety of vulnerabilities from a simple packet.
scratch does complex parsing of binary files to determine what to fuzz
with what data. scratch also comes with a framework for fuzzing binary
protocols such as SSL and SMB.
LXAPI - Library Exploit API - A
selection of python methods designed for bugtesting and exploitation of
local and remote vulnerabilities. It includes a fuzz testing compenent,
miscellaneous shellcode methods and a simple GUI. LxAPI is currently a
work-in-progress.
PEACH - Peach Fuzzer Framework - Peach is a
cross-platform fuzzing framework written in Python. Peaches main goals
include: short development time, code reuse, ease of use, and
flexability. Peach can fuzz just about anything from .NET, COM/ActiveX,
SQL, shared libraries/DLL’s, network applications, web, you name it!
antiparser
- antiparser is a fuzz testing and fault injection API. The purpose of
antiparser is to provide an API that can be used to model network
protocols and file formats by their composite data types. Once a model
has been created, the antiparser has various methods for creating random
sets of data that deviates in ways that will ideally trigger software
bugs or security vulnerabilities. Requires Python 2.3 or later.
Autodafe
- Autodafe is a fuzzing framework that can be used to identify boundary
validation and other issues in protocols and applications. Written by
Martin Vuagnoux.
dfuz - a remote protocol fuzzer/triggerer which
can do many things such as sending random data/random sizes, together
with the data you want. it has alot of ways to tell the program to use
this data by using rule files which will be later parsed by the program
itself, and with several options and ways to make it very specific, and
very flexible. It’s not only a remote protocol fuzzer as itself, but it
is a scripting-like motor on which you can create any kind of payload.
User-friendly.
Web Application Fuzzing Tools
MielieTool -
MielieTool v.1.0 is an easy to use Perl based web application fuzzer.
It supports fuzzing of CGIs in forms and links and supports multiple
sites. Requires HTTrack, Lynx, grep, find, and rm.
Wapiti -
Wapiti is a fuzz tester for web applications, and version 1.1.1 was
recently released to the public. Wapiti scans the frontend of the target
application and identifies all the expected user inputs. It then runs a
series of tests against each variable, such as injecting punctuation
and special characters, and looks for unexpected output from the
application. Wapiti can be used to automate the discovery of SQL and
code injection attacks, cross-site scripting and directory traversal
vulnerabilities.
WebFuzzer - WebFuzzer is a web application
fuzzer that checks for remote vulnerabilities such as sql injection,
cross site scripting, remote code execution, file disclosure, directory
traversal, php includes, shell escapes and insecure perl open() calls.
SPI
WebInspect - The commercial SPI WebInspect toolkit provides a
professional Web fuzzing tool known as SPI Fuzzer. SPI ToolKit users
benefit from a commercially supported product that ensures reliability,
updates, and ease-of-use.
cfuzzer - A simple C-source fuzzer to test for HTTP chunked encoding issues in clients and servers.
Browser Fuzzing Tools
MangleMe
- A simple fuzzer for generating odd HTML tags - it will also
autolaunch a browser. Mangle found the infamous IE IFRAME bug.
AxMan
- AxMan is a web-based ActiveX fuzzing engine. The goal of AxMan is to
discover vulnerabilities in COM objects exposed through Internet
Explorer. Since AxMan is web-based, any security changes in the browser
will also affect the results of the fuzzing process. This allows for a
much more realistic test than other COM-based assessment tools. AxMan is
designed to be used with Internet Explorer 6 only.
COMRaider -
COMRaider is a tool designed to fuzz COM Object Interfaces. COMRaider
includes capability to easily enumerate safe for scripting objects,
ability to scan for COM objects by path, filename, or guid; integrated
type library viewer; integrated debugger to monitor exceptions, close
windows,log api; external vbs script allows you to easily edit fuzzer
permutations; built in webserver to test exploits on the fly;
distributed auditing mode to allow entire teams to work together;
ability to upload crash files to central server for group analysis;
automation tools allowing you to easily fuzz multiple libraries,
individual classes, or specific functions.
TagBruteForcer -
TagBruteForcer is a client-side security tool designed to find overflows
in applications that can be opened by default within Internet Explorer.
It also includes basic functionality for testing ActiveX objects or
Internet Explorer itself.
Hamachi - Hamachi is a
community-developed utility for verifying browser integrity, written by H
D Moore and Aviv Raff. Hamachi will look for common DHTML
implementation flaws by specifying common “bad” values for method
arguments and property values.
Service and Protocol Fuzzing Tools
SNMPFuzzer
- SNMP fuzzer uses Protos test cases with an entirely new engine
written in Perl. It provides efficient methods of determining which test
case has caused a fault, offers more testing granularity and a
friendlier user interface.
FTPFuzz - FTPFuzz is a simple
GUI-based fuzzer for testing FTPD server implementations. It allows the
user to specify FTP commands and parameters to fuzz, and the pattern of
test strings to use for each case. Remotely exploitable vulnerabilities
in many popular FTP services have been discovered using this utility.
PROTOS
- The PROTOS project researches different approaches of testing
implementations of protocols using black-box (i.e. functional) testing
methods. The goal is to support pro-active elimination of faults with
information security implications. Numerous PROTOS test cases have been
provided for assessment: WAP fuzzers, LDAP and SNMP fuzzers, DNS fuzzers
and more.
IRCfuzz - Digital Dwarf Society: fuzzing tool for IRC clients.
iCalFuzz - Digital Dwarf Society: fuzzing tool for the iCal calendar format.
tftpFuzz - Digital Dwarf Society: fuzzing tool for the tftp protocol.
dhcpFuzz - Digital Dwarf Society: fuzzing tool for the dhcp protocol.
SMTPFuzzer - BlackOps SMTP Fuzzing utility can be used to find weaknesses in server implementations of the SMTP protocol.
RIOT
and Faultmon - RIOT testing utility and Faultmon exception catcher. May
be used for attacking plain text protocols (Telnet, HTTP, SMTP). Used
by Riley Hassell when he worked at eEye to discover the IIS .printer
overflow and included in The Shellcoder’s Handbook.
TCP/IP Fuzzing Tools
Fuzzball2
- Fuzzball2 is a little fuzzer for TCP and IP options. It sends a bunch
of more or less bogus packets to the host of your choice.
ISIC -
ISIC is a suite of utilities to exercise the stability of an IP Stack
and its component stacks (TCP, UDP, ICMP et. al.) It generates piles of
pseudo random packets of the target protocol. The packets be given
tendancies to conform to. Ie 50% of the packets generated can have IP
Options. 25% of the packets can be IP fragments - but the percentages
are arbitrary and most of the packet fields have a configurable
tendancy. The packets are then sent against the target machine to either
penetrate its firewall rules or find bugs in the IP stack. ISIC also
contains a utility generate raw ether frames to examine hardware
implementations.
ip6sic - ip6sic is a tool for stress testing an
IPv6 stack implementation. It works in a way much similar to ISIC
above. It was developed mainly on FreeBSD and is known to work on
OpenBSD and Linux. Theoretically, it should work wherever libdnet works.
Other Fuzz Testings Tools
SyscallFuzz - A System Call Fuzzer for Linux. C Source provided.
Socket Fuzzer - A socket/file descriptor fuzzing tool for Unix. C Source provided.
Mangle
- Trivial binary file fuzzer by Ilja van Sprundel. It’s usage is very
simple, it takes a filename and headersize as input. It will then change
between 0 and 10% of the header with random bytes. May be useful to
testers with some scripting experience.
FileFuzz - A file format fuzzer for Windows PE binaries from iDefense.
SPIKEFile
- SPIKEfile is a Linux based file format fuzzing tool, based on SPIKE
2.9. It was designed to automate the launching of applications and
detection of exceptions caused by fuzzed files. It uses standard SPIKE
scripts to generate files and utilizes ptrace to pick up interesting
signals and dump register state.
FuzzyFiles - File fuzzer
written by Reed Arvin. Creates multiple variations of a file - useful
for finding local application flaws.
FuzzySniffandSend - Packet
sniffer and replayer written by Reed Arvin. Can be used to capture data
on the wire, modify it in various ways and resend to the target. Used to
test for protocol and application vulnerabilities.
radiusfuzzer - A Radius protocol fuzzer written in C, by Thomas Biege of the SuSe Security Team.
msn fuzzer - C source code for a simple MSN protocol fuzzer. May be used to discover vulnerabilities in MSN client software.
Mistress
- Mistress in an ‘Application Sadism Environment’ and can also be
called a fuzzer. It is written in Python and was created for probing
file formats on the fly and protocols with malformed data, based on
pre-defined patterns. It is recommended that the project site be visited
for further documentation and use cases.
If you have any tools
you wish to contribute to this list, please email us! We will update
this post as new fuzzers are released to the public.