260 likes | 426 Views
Fully Automated Fuzzing of Web Applications and Services. By Skyler Onken. Table of Contents. Who am I? What is Fuzzing? Usual Targets Techniques Results Limitations Why Fuzz? “Fuzzing the Web”? Desired Solution Solution Enumeration Engine Fuzzing Engine Client Demo
E N D
Fully Automated Fuzzing of Web Applications and Services By Skyler Onken
Table of Contents • Who am I? • What is Fuzzing? • Usual Targets • Techniques • Results • Limitations • Why Fuzz? • “Fuzzing the Web”? • Desired Solution • Solution • Enumeration Engine • Fuzzing Engine • Client • Demo • Remaining Issues • Future Improvements • Q/A
Who am I? • Skyler Onken • BYU-Idaho Student (CIT) • Contingent Staff w/ LDS Church (QA) • Penetration Tester w/ SecureGossipInitiative • Security Trainer @ BYU-Idaho Linux User Group • Security+, CEH, ECSA • http://securityreliks.securegossip.com
What is Fuzzing? • OWASP Definition: • “Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” http://www.owasp.org/index.php/Fuzzing
What is Fuzzing? • Wikipedia • “Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.” http://en.wikipedia.org/wiki/Fuzz_testing
What is Fuzzing? • Synonyms • Robustness Testing • Syntax Testing • Negative Testing • White-Noise Testing
Usual Targets • File Formats • Network Protocols • Trust Boundary Crossing Software • Desktop Applications • Client Software • Web Applications • Web Services
Techniques • Specification-based • Random data • PRNG • Bit flipping
Results • Crashes • Memory Leaks • Assertion Failures • Buffer (Stack and Heap based) Overflows • Parsing Errors
Limitations • Find simple bugs • Black-Box • Strong dependency on seed
Why Fuzz? • Another point of view of testing • If its automated, why not? • Recent Fuzzing Successses: • Apple Wireless flaw DoS (MOKB-30-11-2006) • Month of Browser Bugs: • IE: 25 • Safari: 2 • Firefox: 2 • Opera: 1 • Konquerer: 1
“Fuzzing the Web”? • Enumeration • Massively deep and expansive • Ajax Problem • Most elements can be bound to dynamic action • Results • Detecting errors is difficult beyond checking return code • Possibly use baselines?
“Fuzzing the Web”? • Rune Hammersland pioneered semi-automation • Join together enumeration and fuzzing • The AJAX problem • Frameworks exist, but lack functionality • Peach • Sulley • RFuzz • Some tools exist, but not automated • Spike • WSFuzz • JBroFuzz • Wfuzz
Desired Solution • Easily and Fully Automated • Web Applications and Services • Reproducible Errors • Easy Reporting • “Fire and Forget” • AJAX
Solution Server Client/Applet Enumeration engine Fuzzer
Enumeration Engine • Detects target type (app, soap, rest) • Will generate variations of enumerated test cases: • Crawljax (applications) • Implements Selenium Web Driver • Programmatically define HTML tags to exercise • http://my.webapp.here/func?var1=normalValue& var2=normalValue • SoapUI API (services) • Enumerates the WSDL/WADL for operations/resources
Enumeration Engine Crawler Web Application Fuzzer Test Cases SOAP
Fuzzing Engine • Modular • Enables intelligence • Utilizes RC4 • Reproducible • Handles requests and results • Results: != 200 • Output to file; Database pending.
Fuzzing Engine Fuzzing Engine Controller Module 1 Bad Chars Module 2 Module 3 Web Server
Client • Java Applet
Remaining Issues • JVM Memory • Seed • Captchas • Automated Analysis
Future Improvements • Smarter Fuzzing • Automated Analysis • REST • Dictionary Support • DB • http://code.google.com/p/fuzzops/