Fully Automated Fuzzing of Web Applications and Services
description
Transcript of Fully Automated Fuzzing of Web Applications and Services
![Page 1: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/1.jpg)
Fully Automated Fuzzing of Web Applications and Services
By Skyler Onken
![Page 2: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/2.jpg)
Table of Contents Who am I? What is Fuzzing? Usual Targets Techniques Results Limitations Why Fuzz? “Fuzzing the Web”? Desired Solution Solution
Enumeration Engine Fuzzing Engine Client
Demo Remaining Issues Future Improvements Q/A
![Page 3: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/3.jpg)
Who am I?
Skyler Onken BYU-Idaho Student (CIT) Contingent Staff w/ LDS Church (QA) Penetration Tester w/ SecureGossip
Initiative Security Trainer @ BYU-Idaho Linux User
Group Security+, CEH, ECSA http://securityreliks.securegossip.com
![Page 4: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/4.jpg)
What is Fuzzing?
OWASP Definition: “Fuzz testing or Fuzzing is a Black Box
software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” http://www.owasp.org/index.php/Fuzzing
![Page 5: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/5.jpg)
What is Fuzzing?
Wikipedia “Fuzz testing or fuzzing is a software
testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.”
http://en.wikipedia.org/wiki/Fuzz_testing
![Page 6: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/6.jpg)
What is Fuzzing?
Synonyms Robustness Testing Syntax Testing Negative Testing White-Noise Testing
![Page 7: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/7.jpg)
Usual Targets
File Formats Network Protocols Trust Boundary Crossing Software
Desktop Applications Client Software Web Applications Web Services
![Page 8: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/8.jpg)
Techniques
Specification-based Random data
PRNG Bit flipping
![Page 9: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/9.jpg)
Results
Crashes Memory Leaks Assertion Failures Buffer (Stack and Heap based)
Overflows Parsing Errors
![Page 10: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/10.jpg)
Limitations
Find simple bugs Black-Box Strong dependency on seed
![Page 11: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/11.jpg)
Why Fuzz?
Another point of view of testing If its automated, why not? Recent Fuzzing Successses:
Apple Wireless flaw DoS (MOKB-30-11-2006) Month of Browser Bugs:▪ IE: 25▪ Safari: 2▪ Firefox: 2▪ Opera: 1▪ Konquerer: 1
![Page 12: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/12.jpg)
“Fuzzing the Web”?
Enumeration Massively deep and expansive
Ajax Problem Most elements can be bound to dynamic
action Results
Detecting errors is difficult beyond checking return code
Possibly use baselines?
![Page 13: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/13.jpg)
“Fuzzing the Web”? Rune Hammersland pioneered semi-automation
Join together enumeration and fuzzing The AJAX problem
Frameworks exist, but lack functionality Peach Sulley RFuzz
Some tools exist, but not automated Spike WSFuzz JBroFuzz Wfuzz
![Page 14: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/14.jpg)
Desired Solution
Easily and Fully Automated Web Applications and Services Reproducible Errors Easy Reporting “Fire and Forget” AJAX
![Page 15: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/15.jpg)
Solution
Client/Applet Enumeration engine Fuzzer
Server
![Page 16: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/16.jpg)
Enumeration Engine
Detects target type (app, soap, rest) Will generate variations of
enumerated test cases: Crawljax (applications)▪ Implements Selenium Web Driver▪ Programmatically define HTML tags to exercise▪ http://my.webapp.here/func?var1=normalValue& var2=normalValue
SoapUI API (services)▪ Enumerates the WSDL/WADL for
operations/resources
![Page 17: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/17.jpg)
Enumeration Engine
Web Application
Fuzzer
Crawler
SOAP
Test Case
s
![Page 18: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/18.jpg)
Fuzzing Engine
Modular Enables intelligence
Utilizes RC4 Reproducible
Handles requests and results Results: != 200 Output to file; Database pending.
![Page 19: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/19.jpg)
Fuzzing Engine
Fuzzing Engine
Controller
Module 3
Module 2
Module 1
Bad Chars
Web Server
![Page 20: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/20.jpg)
Client
Java Applet
![Page 21: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/21.jpg)
Client
![Page 22: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/22.jpg)
DEMO
![Page 23: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/23.jpg)
Remaining Issues
JVM Memory Seed Captchas Automated Analysis
![Page 24: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/24.jpg)
Future Improvements
Smarter Fuzzing Automated Analysis REST Dictionary Support DB http://code.google.com/p/fuzzops/
![Page 25: Fully Automated Fuzzing of Web Applications and Services](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815b97550346895dc99c73/html5/thumbnails/25.jpg)
Any Questions?