1 / 25

Fully Automated Fuzzing of Web Applications and Services

Fully Automated Fuzzing of Web Applications and Services. By Skyler Onken. Table of Contents. Who am I? What is Fuzzing? Usual Targets Techniques Results Limitations Why Fuzz? “Fuzzing the Web”? Desired Solution Solution Enumeration Engine Fuzzing Engine Client Demo

lok
Download Presentation

Fully Automated Fuzzing of Web Applications and Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Fully Automated Fuzzing of Web Applications and Services By Skyler Onken

  2. Table of Contents • Who am I? • What is Fuzzing? • Usual Targets • Techniques • Results • Limitations • Why Fuzz? • “Fuzzing the Web”? • Desired Solution • Solution • Enumeration Engine • Fuzzing Engine • Client • Demo • Remaining Issues • Future Improvements • Q/A

  3. Who am I? • Skyler Onken • BYU-Idaho Student (CIT) • Contingent Staff w/ LDS Church (QA) • Penetration Tester w/ SecureGossipInitiative • Security Trainer @ BYU-Idaho Linux User Group • Security+, CEH, ECSA • http://securityreliks.securegossip.com

  4. What is Fuzzing? • OWASP Definition: • “Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” http://www.owasp.org/index.php/Fuzzing

  5. What is Fuzzing? • Wikipedia • “Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.” http://en.wikipedia.org/wiki/Fuzz_testing

  6. What is Fuzzing? • Synonyms • Robustness Testing • Syntax Testing • Negative Testing • White-Noise Testing

  7. Usual Targets • File Formats • Network Protocols • Trust Boundary Crossing Software • Desktop Applications • Client Software • Web Applications • Web Services

  8. Techniques • Specification-based • Random data • PRNG • Bit flipping

  9. Results • Crashes • Memory Leaks • Assertion Failures • Buffer (Stack and Heap based) Overflows • Parsing Errors

  10. Limitations • Find simple bugs • Black-Box • Strong dependency on seed

  11. Why Fuzz? • Another point of view of testing • If its automated, why not? • Recent Fuzzing Successses: • Apple Wireless flaw DoS (MOKB-30-11-2006) • Month of Browser Bugs: • IE: 25 • Safari: 2 • Firefox: 2 • Opera: 1 • Konquerer: 1

  12. “Fuzzing the Web”? • Enumeration • Massively deep and expansive • Ajax Problem • Most elements can be bound to dynamic action • Results • Detecting errors is difficult beyond checking return code • Possibly use baselines?

  13. “Fuzzing the Web”? • Rune Hammersland pioneered semi-automation • Join together enumeration and fuzzing • The AJAX problem • Frameworks exist, but lack functionality • Peach • Sulley • RFuzz • Some tools exist, but not automated • Spike • WSFuzz • JBroFuzz • Wfuzz

  14. Desired Solution • Easily and Fully Automated • Web Applications and Services • Reproducible Errors • Easy Reporting • “Fire and Forget” • AJAX

  15. Solution Server Client/Applet Enumeration engine Fuzzer

  16. Enumeration Engine • Detects target type (app, soap, rest) • Will generate variations of enumerated test cases: • Crawljax (applications) • Implements Selenium Web Driver • Programmatically define HTML tags to exercise • http://my.webapp.here/func?var1=normalValue& var2=normalValue • SoapUI API (services) • Enumerates the WSDL/WADL for operations/resources

  17. Enumeration Engine Crawler Web Application Fuzzer Test Cases SOAP

  18. Fuzzing Engine • Modular • Enables intelligence • Utilizes RC4 • Reproducible • Handles requests and results • Results: != 200 • Output to file; Database pending.

  19. Fuzzing Engine Fuzzing Engine Controller Module 1 Bad Chars Module 2 Module 3 Web Server

  20. Client • Java Applet

  21. Client

  22. DEMO

  23. Remaining Issues • JVM Memory • Seed • Captchas • Automated Analysis

  24. Future Improvements • Smarter Fuzzing • Automated Analysis • REST • Dictionary Support • DB • http://code.google.com/p/fuzzops/

  25. Any Questions?

More Related