Fuzzing is a black-box software testing technique and consists of finding implementation flaws and bugs by using malformed/semi-malformed payloads via automation. Fuzzing an application is not a matter of simply exploiting a specific point of an application, but also acquiring knowledge and potential crashes that could be explored in-depth through the implementation of crafted payloads in order to take advantage of bad practices of coding. In addition, fuzzing helps you explore an application’s deploys, infrastructures, protocols, entry points and so on.
Understanding a fuzzing scenario
The user-password authentication mechanism is still commonly used in most applications today. In brief, the application receives two user inputs — the username and password string — which are then received and verified to allow the creation of a session allowing later access to other authenticated features.
Let’s take an FTP application as an example. If the size of the username string is equal to eight bytes, the max size of a string can be: infosec1 (eight characters) or username, as you can see below.
Figure 1: Buffer overflow vulnerability
When an automation program (the fuzzer) sends arbitrary payloads during the authentication process, several username payloads can be generated with different sizes and character sets, or even templates. If the username parameter is greater than eight bytes, the application will crash, and that will create a buffer overflow condition. From here, a remote code execution vulnerability could be explored via the execution of a crafted payload.
Fuzzing is an aging mechanism developed at the University of Wisconsin – Madison in 1989 by Professor Barton Miller and his students. Fuzzing is a means of detecting potential implementation weaknesses that can be used to take advantage of any target. To do this, a specific fuzzer must be used, where semi-random data (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Pedro Tavares. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/wsA5K1z4h14/