SlideShare una empresa de Scribd logo

The Buzz about Fuzz: an Enhanced approach to Finding Vulnerabilities

Security Innovation
Security Innovation

This webcast (now in PDF format) covers several aspects of fuzz testing including the benefits of fuzz testing, what kind of results you can expect, and how it differs from other common security testing techniques

Tecnología
1 de 17
Descargar para leer sin conexión
11/16/2011 What’s the Buzz About Fuzz? An enhanced approach to uncovering vulnerabilities Joe Basirico Director, Security Servies Security Innovation About Security Innovation • Software and Crypto Security Experts – 10+ years research on vulnerabilities and cryptography – Hundreds of assessments on world’s most dominant software • Products, Services & Training – Software Assessment – Application Risk Management – SDLC Consulting – eLearning • Helping organizations: – Build internal application security competency – Roll out secure software applications and products – Reduce IT/Application Risk 1
11/16/2011 Agenda The problem fuzzing solves • Fuzz Testing Techniques • Static analysis, dynamic analysis, application scanning, and other techniques • Getting started with fuzzing • Conclusion Fuzzing Conceptualized Web Application Input HTTP Validation TCP/IP Framework 2
11/16/2011 The Problem Fuzzing Addresses • Applications accept input from many sources. We want them to: – Do the right thing when they get good input – Fail securely when they get bad input • Attackers want applications to: – Fail insecurely when they get bad input • Parsers are used to process complex application input – Parsers are notoriously buggy and difficult to write – Malicious, corrupt input can result in fireworks! – Show me an elevation of privilege bug and I bet it’s in a parser • Ok, maybe not all of them are in parsers … • Automated tools find low-hanging fruit and common vulnerabilities. What do you do next? – You need to test with the parser logic in mind. Fuzzing Defined • What is Application Fuzzing? – Technique for generating malformed data streams to expose vulnerabilities – Most effective when automated • Why do it? – Quickly assess an application’s ability to deal with large amounts of invalid data – Hackers will use fuzzing to flush out basic validation problems. You should too! – Very effective at discovering obscure weaknesses and spectacular bugs in applications. • Maybe Blaster could have been found with a fuzzer? 3
11/16/2011 Fuzzing – What Will it Find? • Helpful for finding bugs that cause erratic application behavior and server crashes – Buffer overflows – Denial of service – Parsing issues – Data handling issues • Less helpful at finding: -Elevation of privilege (EoP) - DTD attacks - Weak encryption - XML validation - Repurposing attack - Script injection - Cross-site scripting - Repudiation - Information disclosure - Session replay Getting Good Coverage is Hard • Data is composed of content and format – 1,2,3,5,7,11,13,17,19,23 • Good coverage requires: – Knowledge of the input format (protocols, file format, delimiters, etc.) – Knowledge of input validation techniques – Knowledge of side-effects – Knowledge of error paths 4
11/16/2011 Why it’s Hard • Traditional testing for a buffer overflow – Fill input with 10,000 A characters. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAA… This will only break if your application is really crappy! Why it’s Hard (cont’d) • Once low hanging fruit is gone, what do you do? – You need to test with the parser logic in mind. • Imagine you are testing an url input field… – What would you try besides a long string of A? • Replace domain and v-root: – http://aaaaaaaaaaaaaa.../aaaaaaaaaaaaaaa... • Replace protocol handler: – aaaaaaaaaaaaaaaaaaa…://www.google.com • Replace part of the domain name: – http://www.aaaaaaaaaaaaaaaaaaaa... .com • Etc… 5
11/16/2011 Wait There’s More • That was just a simple input field • What about: – Files with complex format – Network protocol with complex format and state – Programmatic interface with state and complex data types • The order of network packets or API calls matters as much as the format It Gets Worse • Error handlers – Maybe the bug is actually in an error handler? – You need to get the _right error to hit the vulnerable code • Input validation – The application may try to protect itself – Your attack must weasel through while still being dangerous 6
11/16/2011 Agenda • The problem fuzzing solves • Fuzz Testing Techniques • Static analysis, dynamic analysis, application scanning, and other techniques • Getting started with fuzzing • Conclusion Fuzz Testing • Approach – Identify Target – Identify Inputs – Generate/Execute Fuzzed Data – Monitor for Exceptions – Determine Exploitability • Define lists of "known-to-be-dangerous values" (fuzz vectors) for each type – For integers: zero, possibly negative or very big numbers – For chars: escaped, interpretable characters / instructions (ex: For SQL Requests, quotes / commands...) – For binary: random ones 7
11/16/2011 Fuzz Testing Techniques • Fuzzing Techniques – Manual Fuzzing • Intercept and modify the data by hand – Automated Fuzzing • Use a tool to generate fuzz test cases • Can be done in real-time or stored for later use • Types of Fuzzing – Random Fuzzing • Easy to implement • Randomly modify valid input and data types – Format Aware Fuzzing • More difficult to implement • Generate targeted random data to pinpoint failure spots in the software Random Fuzzing Read Open Randomly software Record Valid File with Repeat corrupt corrupt file behavior • Pros – Very fast to get started – Easy to set up – Finds low hanging fruit • Cons – Unfocused – Can generate wild border cases that you don’t care about – Can generate a large amount of data 8
11/16/2011 Format Aware Fuzzing Create a Generate Open software document with corrupt file Record a corrupt Repeat outline file behavior • Pros – Less likely to get hung up on format validation – Will greatly improve code coverage and depth of your attacks – Can target specific functionality • Input that is echoed into HTML for XSS • Input that is echoed into SQL statements for SQLi • Buffer size indicators • End of buffer tokens • Cons – Large setup costs – Assumptions about the file format may be different than actual implementation SOAP Fuzzing • Take the client requests for each service and isolate the element values to be manipulated – Change the entire value, without conforming to the value format • Should turn up gross errors or denial of service conditions – Then present the value in the correct format • Should find issues that would pass a validation gateway, but still cause problems when the data is consumed • Typical payloads used: – Character multiples - SQL Injection – Max unsigned and signed integer values - Common bad ASCII (‘ ” < >) – Variations on format strings using ‘%n’ - All numbers – Long strings - All letters – Empty strings and null values - All spaces – Extended ASCII - Invalid date formats – Binary values - Dictionaries relevant to the application – Base64 and HTML encoded values 9
11/16/2011 Web Services Fuzzing • To monitor the behavior of the web service during fuzzing – Attach a debugger on the server • To determine denial of service conditions use Perfmon to observe the process’s CPU and memory usage • In SOAP fuzzing insert a unique marker into each request, and also log each sent request – Allows you to later reproduce the condition that caused the error – i.e. place an incremented number in the User Agent value of the SOAP requests, which is readable in the IIS logs. • In addition, the randomness of fuzzing can be seeded with a value which would allow for reproducibility Web Services Fuzzing - Example • Everything between the Value tags should be fuzzed as a single blob • The string “org:division/category/DATA=DATA” will be replaced as a whole with the fuzz strings. 10
11/16/2011 Web Service Fuzzing • Next: separate values into subcomponents In addition to fuzzing strings with other strings, INT’s, byte arrays, and separator values (e.g. : and / and =) should also included The Future of Fuzzing • Use application feedback to improve test performance – Similar to manual iterative approach • Watch application and tweak input to improve code coverage – Really hard, similar to the halting problem • Use fault injection + Fuzzing to improve code coverage – Inject faults to vary the code path – Use fuzzing to target input/data validation on error paths • Multi-tier Fuzzing – Improve coverage by considering system as a whole, not just a single process on one machine – Coordinate fuzzing on specific interfaces • Client to app server • App server to DB server • Web services interface 11
11/16/2011 Agenda • The problem fuzzing solves • Fuzz Testing Techniques • Static analysis, dynamic analysis, application scanning, and other techniques • Getting started with fuzzing • Conclusion Non-Fuzzing techniques Academia, research organizations, and tools vendors have tried to solve the problem: A variety of non-fuzzing techniques were developed • Model Based Testing – Build a model of your application, test against it • Static Analysis – Automated code review • Fault Injection – Hit the error paths • Penetration Testing and Code Review – Manual effort by experts 12
11/16/2011 Model Based Testing • Solves the problem of state – E.g. I need to call MethodX before MethodY will work. • Hard to model a complex system and get the right level of detail • Can be effective but requires a significant investment Static Analysis Tools • Look for patterns of bad code, simulate running conditions and find bugs • Find a lot of the common coding errors, faster than humans – Can drastically reduce a number of bugs which may be difficult to find in black box testing • i.e. buffer overrun, encoding and dangerous function usage • Do not predict exploitability of flaws • Cannot detect certain types of vulnerabilities – E.g., Privilege escalation, cross-site scripting • Beware of False Positives – Can result in wasted effort and drain on security resources 13
11/16/2011 Web Scanners • Pros: Does a lot of the heavy lifting – Rely on a database of constantly growing known vulnerabilities – Identify common vulnerabilities faster than manual efforts – Can discover a large amount of information about a device • Misconfigurations, exposed usernames/passwords, cookie usage, vulnerable scripts • Directory/file structure, helper files, Java applets, Flash/ActiveX controls • Forms, query strings, hidden fields, input validation, header information • Cons: Scanners are just that – scanners – Limited to known vulnerabilities, many serious vulnerabilities are missed – No prioritization of vulnerabilities • Vulnerabilities on critical assets ranked identically to low value assets • False positives are time consuming to validate – May provide false sense of security Fault Injection • Simulate environmental error conditions to target error code paths – Low memory – Corrupt files – Constrained bandwidth – Missing libraries – API errors – Etc • Can be used to augment existing test suites and increase code coverage • Historically performed on hardware systems and has migrated to software • Specifically targeted at reducing application fragility in the real world 14
11/16/2011 Pen Test and Code Review • Will find the most elusive and dangerous vulnerabilities – Should be done in conjunction with tools for optimal effectiveness – Ideally performed iteratively, not just when code complete or application is compiled – Will find business logic and other flaws that tools can’t detect • Uses humans to uncover vulnerabilities – Requires expert, well-trained minds – Expensive, time-consuming – Not easily scalable Agenda • The problem fuzzing solves • Fuzz Testing Techniques • Static analysis, dynamic analysis, application scanning, and other techniques • Getting started with fuzzing • Conclusion 15
11/16/2011 Getting Started with Fuzzing • Using a Fuzzer – Prepare a correct file to input to your program. – Replace some part of the file with random data – Open the file with the program – See what breaks. • Start off with network or file fuzzing – If your application accepts file input, start here – If your application accepts network input, go there next • When to Fuzz – As soon as your code is complete, test your input/data validation – You can add simple fuzzing to your unit tests – Fuzz extensively before release: over 10,000 files Fuzz Testing Tools • Burp Suite – Intercept and fuzz network packets. Try for free, pay to unlock features • Skipfish – Use to fuzz HTTP parameters and directory names. Free, hosted by Google. • Appscan – Fuzzing and other testing features. Expensive but comprehensive • Peach – Can fuzz files, RPC, network packets, stored procedures, many others • Spike – Widely used and very flexible but requires coding skills to use • What the Fuzz – Open source, written by Security Innovation • Dozens of others – www.fuzzing.org for a large listing – http://www.owasp.org/index.php/Fuzzing for more information 16
11/16/2011 Conclusion • Fuzz testing isn't a substitute for carefully designed unit and system tests, or black/white box analysis – It’s useful because it tests your application from a perspective that's different from that of human-designed tests. • Harden your Application to Fuzz – Checksums – Grammar based formats such as XML – Verified code such as Java Application Security Services • Application Assessment • Secure SDLC Optimization • Application Portfolio Assessment Computer-Based Training • Conducting a Security Code Review • Creating Secure Code • Testing For the OWSAP Top Ten • Exploiting Buffer Overflows Contact getsecure@securityinnovation.com jbasirico@securityinnovation.com 17

Recomendados

Fuzzing with Go-Fuzz
Fuzzing with Go-FuzzFuzzing with Go-Fuzz
Fuzzing with Go-Fuzzjnewmano
 
Ditch Sandboxes for Docker
Ditch Sandboxes for DockerDitch Sandboxes for Docker
Ditch Sandboxes for DockerTravis Thieman
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
 
Owasp Il 7 Fuzz Guru
Owasp Il 7 Fuzz GuruOwasp Il 7 Fuzz Guru
Owasp Il 7 Fuzz Guruguestb0af15
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzingVincenzo Iozzo
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the corePositive Hack Days
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospectiveSecurity Innovation
 

Recomendados

Fuzzing with Go-Fuzz
Fuzzing with Go-FuzzFuzzing with Go-Fuzz
Fuzzing with Go-Fuzzjnewmano
 
Ditch Sandboxes for Docker
Ditch Sandboxes for DockerDitch Sandboxes for Docker
Ditch Sandboxes for DockerTravis Thieman
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
 
Owasp Il 7 Fuzz Guru
Owasp Il 7 Fuzz GuruOwasp Il 7 Fuzz Guru
Owasp Il 7 Fuzz Guruguestb0af15
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzingVincenzo Iozzo
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the corePositive Hack Days
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospectiveSecurity Innovation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Más contenido relacionado

Último

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 

Último (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

Destacado

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Destacado (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

The Buzz about Fuzz: an Enhanced approach to Finding Vulnerabilities

  • 1. 11/16/2011 What’s the Buzz About Fuzz? An enhanced approach to uncovering vulnerabilities Joe Basirico Director, Security Servies Security Innovation About Security Innovation • Software and Crypto Security Experts – 10+ years research on vulnerabilities and cryptography – Hundreds of assessments on world’s most dominant software • Products, Services & Training – Software Assessment – Application Risk Management – SDLC Consulting – eLearning • Helping organizations: – Build internal application security competency – Roll out secure software applications and products – Reduce IT/Application Risk 1
  • 2. 11/16/2011 Agenda The problem fuzzing solves • Fuzz Testing Techniques • Static analysis, dynamic analysis, application scanning, and other techniques • Getting started with fuzzing • Conclusion Fuzzing Conceptualized Web Application Input HTTP Validation TCP/IP Framework 2
  • 3. 11/16/2011 The Problem Fuzzing Addresses • Applications accept input from many sources. We want them to: – Do the right thing when they get good input – Fail securely when they get bad input • Attackers want applications to: – Fail insecurely when they get bad input • Parsers are used to process complex application input – Parsers are notoriously buggy and difficult to write – Malicious, corrupt input can result in fireworks! – Show me an elevation of privilege bug and I bet it’s in a parser • Ok, maybe not all of them are in parsers … • Automated tools find low-hanging fruit and common vulnerabilities. What do you do next? – You need to test with the parser logic in mind. Fuzzing Defined • What is Application Fuzzing? – Technique for generating malformed data streams to expose vulnerabilities – Most effective when automated • Why do it? – Quickly assess an application’s ability to deal with large amounts of invalid data – Hackers will use fuzzing to flush out basic validation problems. You should too! – Very effective at discovering obscure weaknesses and spectacular bugs in applications. • Maybe Blaster could have been found with a fuzzer? 3
  • 4. 11/16/2011 Fuzzing – What Will it Find? • Helpful for finding bugs that cause erratic application behavior and server crashes – Buffer overflows – Denial of service – Parsing issues – Data handling issues • Less helpful at finding: -Elevation of privilege (EoP) - DTD attacks - Weak encryption - XML validation - Repurposing attack - Script injection - Cross-site scripting - Repudiation - Information disclosure - Session replay Getting Good Coverage is Hard • Data is composed of content and format – 1,2,3,5,7,11,13,17,19,23 • Good coverage requires: – Knowledge of the input format (protocols, file format, delimiters, etc.) – Knowledge of input validation techniques – Knowledge of side-effects – Knowledge of error paths 4
  • 5. 11/16/2011 Why it’s Hard • Traditional testing for a buffer overflow – Fill input with 10,000 A characters. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAA… This will only break if your application is really crappy! Why it’s Hard (cont’d) • Once low hanging fruit is gone, what do you do? – You need to test with the parser logic in mind. • Imagine you are testing an url input field… – What would you try besides a long string of A? • Replace domain and v-root: – http://aaaaaaaaaaaaaa.../aaaaaaaaaaaaaaa... • Replace protocol handler: – aaaaaaaaaaaaaaaaaaa…://www.google.com • Replace part of the domain name: – http://www.aaaaaaaaaaaaaaaaaaaa... .com • Etc… 5
  • 6. 11/16/2011 Wait There’s More • That was just a simple input field • What about: – Files with complex format – Network protocol with complex format and state – Programmatic interface with state and complex data types • The order of network packets or API calls matters as much as the format It Gets Worse • Error handlers – Maybe the bug is actually in an error handler? – You need to get the _right error to hit the vulnerable code • Input validation – The application may try to protect itself – Your attack must weasel through while still being dangerous 6
  • 7. 11/16/2011 Agenda • The problem fuzzing solves • Fuzz Testing Techniques • Static analysis, dynamic analysis, application scanning, and other techniques • Getting started with fuzzing • Conclusion Fuzz Testing • Approach – Identify Target – Identify Inputs – Generate/Execute Fuzzed Data – Monitor for Exceptions – Determine Exploitability • Define lists of "known-to-be-dangerous values" (fuzz vectors) for each type – For integers: zero, possibly negative or very big numbers – For chars: escaped, interpretable characters / instructions (ex: For SQL Requests, quotes / commands...) – For binary: random ones 7
  • 8. 11/16/2011 Fuzz Testing Techniques • Fuzzing Techniques – Manual Fuzzing • Intercept and modify the data by hand – Automated Fuzzing • Use a tool to generate fuzz test cases • Can be done in real-time or stored for later use • Types of Fuzzing – Random Fuzzing • Easy to implement • Randomly modify valid input and data types – Format Aware Fuzzing • More difficult to implement • Generate targeted random data to pinpoint failure spots in the software Random Fuzzing Read Open Randomly software Record Valid File with Repeat corrupt corrupt file behavior • Pros – Very fast to get started – Easy to set up – Finds low hanging fruit • Cons – Unfocused – Can generate wild border cases that you don’t care about – Can generate a large amount of data 8
  • 9. 11/16/2011 Format Aware Fuzzing Create a Generate Open software document with corrupt file Record a corrupt Repeat outline file behavior • Pros – Less likely to get hung up on format validation – Will greatly improve code coverage and depth of your attacks – Can target specific functionality • Input that is echoed into HTML for XSS • Input that is echoed into SQL statements for SQLi • Buffer size indicators • End of buffer tokens • Cons – Large setup costs – Assumptions about the file format may be different than actual implementation SOAP Fuzzing • Take the client requests for each service and isolate the element values to be manipulated – Change the entire value, without conforming to the value format • Should turn up gross errors or denial of service conditions – Then present the value in the correct format • Should find issues that would pass a validation gateway, but still cause problems when the data is consumed • Typical payloads used: – Character multiples - SQL Injection – Max unsigned and signed integer values - Common bad ASCII (‘ ” < >) – Variations on format strings using ‘%n’ - All numbers – Long strings - All letters – Empty strings and null values - All spaces – Extended ASCII - Invalid date formats – Binary values - Dictionaries relevant to the application – Base64 and HTML encoded values 9
  • 10. 11/16/2011 Web Services Fuzzing • To monitor the behavior of the web service during fuzzing – Attach a debugger on the server • To determine denial of service conditions use Perfmon to observe the process’s CPU and memory usage • In SOAP fuzzing insert a unique marker into each request, and also log each sent request – Allows you to later reproduce the condition that caused the error – i.e. place an incremented number in the User Agent value of the SOAP requests, which is readable in the IIS logs. • In addition, the randomness of fuzzing can be seeded with a value which would allow for reproducibility Web Services Fuzzing - Example • Everything between the Value tags should be fuzzed as a single blob • The string “org:division/category/DATA=DATA” will be replaced as a whole with the fuzz strings. 10
  • 11. 11/16/2011 Web Service Fuzzing • Next: separate values into subcomponents In addition to fuzzing strings with other strings, INT’s, byte arrays, and separator values (e.g. : and / and =) should also included The Future of Fuzzing • Use application feedback to improve test performance – Similar to manual iterative approach • Watch application and tweak input to improve code coverage – Really hard, similar to the halting problem • Use fault injection + Fuzzing to improve code coverage – Inject faults to vary the code path – Use fuzzing to target input/data validation on error paths • Multi-tier Fuzzing – Improve coverage by considering system as a whole, not just a single process on one machine – Coordinate fuzzing on specific interfaces • Client to app server • App server to DB server • Web services interface 11
  • 12. 11/16/2011 Agenda • The problem fuzzing solves • Fuzz Testing Techniques • Static analysis, dynamic analysis, application scanning, and other techniques • Getting started with fuzzing • Conclusion Non-Fuzzing techniques Academia, research organizations, and tools vendors have tried to solve the problem: A variety of non-fuzzing techniques were developed • Model Based Testing – Build a model of your application, test against it • Static Analysis – Automated code review • Fault Injection – Hit the error paths • Penetration Testing and Code Review – Manual effort by experts 12
  • 13. 11/16/2011 Model Based Testing • Solves the problem of state – E.g. I need to call MethodX before MethodY will work. • Hard to model a complex system and get the right level of detail • Can be effective but requires a significant investment Static Analysis Tools • Look for patterns of bad code, simulate running conditions and find bugs • Find a lot of the common coding errors, faster than humans – Can drastically reduce a number of bugs which may be difficult to find in black box testing • i.e. buffer overrun, encoding and dangerous function usage • Do not predict exploitability of flaws • Cannot detect certain types of vulnerabilities – E.g., Privilege escalation, cross-site scripting • Beware of False Positives – Can result in wasted effort and drain on security resources 13
  • 14. 11/16/2011 Web Scanners • Pros: Does a lot of the heavy lifting – Rely on a database of constantly growing known vulnerabilities – Identify common vulnerabilities faster than manual efforts – Can discover a large amount of information about a device • Misconfigurations, exposed usernames/passwords, cookie usage, vulnerable scripts • Directory/file structure, helper files, Java applets, Flash/ActiveX controls • Forms, query strings, hidden fields, input validation, header information • Cons: Scanners are just that – scanners – Limited to known vulnerabilities, many serious vulnerabilities are missed – No prioritization of vulnerabilities • Vulnerabilities on critical assets ranked identically to low value assets • False positives are time consuming to validate – May provide false sense of security Fault Injection • Simulate environmental error conditions to target error code paths – Low memory – Corrupt files – Constrained bandwidth – Missing libraries – API errors – Etc • Can be used to augment existing test suites and increase code coverage • Historically performed on hardware systems and has migrated to software • Specifically targeted at reducing application fragility in the real world 14
  • 15. 11/16/2011 Pen Test and Code Review • Will find the most elusive and dangerous vulnerabilities – Should be done in conjunction with tools for optimal effectiveness – Ideally performed iteratively, not just when code complete or application is compiled – Will find business logic and other flaws that tools can’t detect • Uses humans to uncover vulnerabilities – Requires expert, well-trained minds – Expensive, time-consuming – Not easily scalable Agenda • The problem fuzzing solves • Fuzz Testing Techniques • Static analysis, dynamic analysis, application scanning, and other techniques • Getting started with fuzzing • Conclusion 15
  • 16. 11/16/2011 Getting Started with Fuzzing • Using a Fuzzer – Prepare a correct file to input to your program. – Replace some part of the file with random data – Open the file with the program – See what breaks. • Start off with network or file fuzzing – If your application accepts file input, start here – If your application accepts network input, go there next • When to Fuzz – As soon as your code is complete, test your input/data validation – You can add simple fuzzing to your unit tests – Fuzz extensively before release: over 10,000 files Fuzz Testing Tools • Burp Suite – Intercept and fuzz network packets. Try for free, pay to unlock features • Skipfish – Use to fuzz HTTP parameters and directory names. Free, hosted by Google. • Appscan – Fuzzing and other testing features. Expensive but comprehensive • Peach – Can fuzz files, RPC, network packets, stored procedures, many others • Spike – Widely used and very flexible but requires coding skills to use • What the Fuzz – Open source, written by Security Innovation • Dozens of others – www.fuzzing.org for a large listing – http://www.owasp.org/index.php/Fuzzing for more information 16
  • 17. 11/16/2011 Conclusion • Fuzz testing isn't a substitute for carefully designed unit and system tests, or black/white box analysis – It’s useful because it tests your application from a perspective that's different from that of human-designed tests. • Harden your Application to Fuzz – Checksums – Grammar based formats such as XML – Verified code such as Java Application Security Services • Application Assessment • Secure SDLC Optimization • Application Portfolio Assessment Computer-Based Training • Conducting a Security Code Review • Creating Secure Code • Testing For the OWSAP Top Ten • Exploiting Buffer Overflows Contact getsecure@securityinnovation.com jbasirico@securityinnovation.com 17