Fuzzing is an automated testing technique that feeds applications with random, malformed or unexpected data. These randomly generated data will cause applications to crash, and on some rare occasions, even exploitable holes can be found, allowing attackers to connect and escalate privileges on machines.
Over the last two decades, the fuzzing technique remained one of the most important ways of finding flaws in software. Thousands of security vulnerabilities were found using this technique that wouldn’t be found otherwise.
A Brief History of Fuzzing
The term fuzz as we know was first coined in 1988 on a project by professor Barton Miller and his students at the University of Wisconsin. Their main goal was to fuzz test Unix command-line utilities.
They tried to achieve that by feeding a large number of random inputs to the applications in order for them to perform unexpected behaviors. Miller’s team was able to crash between 25 and 33 percent of all the utilities tested. Their continued work can be found on the University of Wisconsin Website
Why Fuzz your Application?
Having Pentesters to test your application can take a long time and can get really expensive, especially due to the shortage of professionals in this field. Using automated testing tools, being them commercial or open-source, can greatly reduce the time and money spent on your testing adventure.
Blackbox fuzzing is the first type of fuzzing ever used, it consists of passing a large number of random data to the application in order to achieve some unexpected behavior.
This technique has very limited effectiveness, mainly because modern applications have input sanitization and will discard inputs that aren’t in the right format.
Considering that applications might expect a specific format of data to be passed, we can make use of Grammar-Based fuzzers. These types of fuzzers can be configured to use the respective format expected by the application, like JSON, XML, and many others.
Being able to pass the right data format will ensure that your input doesn’t get discarded by the application.
Whitebox fuzzing is the most advanced type of fuzzing, while Blackbox is very limited and Grammar-based is labor-intensive, Whitebox differently from the previous options that made use of malformed data, makes use of the great amount of computational power that we have and well-formed input to test the application dynamically.
It understands what worked and what not to create different testing paths, it can traverse the application and catch bugs that couldn’t be picked by the other fuzzing techniques.
Hands-on Experiment With ffuf
For this experiment, we will be using ffuf (Fuzz Faster U Fool) to do a quick enumeration to get possible non-indexed pages from a website.
We will also use a wordlist included on SecLists. SecLists comes already bundled on BlackArch, Parrot, and Kali Linux, but can also be downloaded on its Github Repo
To get ffuf installed on your machine you will need Go 1.13 or greater, then head to the ffuf Github Repo
and follow the installation instructions.
After getting ffuf successfully installed, open your terminal and type:
ffuf -w /path/to/seclists/Discovery/Web-Content/big.txt -u https://target/FUZZ
After running this snippet, ffuf will return all the matched pages for that URL and you can even get some non-indexed ones that were supposed to be hidden.
Using ffuf allows us to do much more complex fuzzing and enumeration and I’ll be covering the tool in more depth in my next Story.
This is for educational purposes only. The use of techniques on real applications without proper authorization is a crime.