Website Fuzzing Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails, the defects can be noted.
Fuzzing Applications Fuzz testing is often used in large software development projects that employ black-box testing. The oldest and simplest form of fuzzing, sending a stream of random bits to software, originated from Prof. Barton Miller's group at the University of Wisconsin in 1988. Another common technique that is easy to implement is mutating existing input by flipping bits at random or moving blocks of the file around. But the most successful fuzzers have detailed understanding of the format or protocol being tested.
Fuzzing Results Fuzz testing reveal many different behaviors. Straight-up failures such as crashes, assertion failures, and memory leaks are easy to detect. The use of a memory debugger can help find bugs too subtle to always crash. Fuzz testing is especially useful against large C or C++ applications, where any bug affecting memory safety is likely to be a severe vulnerability.
Reproducing Fuzz Errors Developers need to reproduce errors in order to fix them. For this reason, almost all fuzz testing makes a record of the data it manufactures, usually before applying it to the software, so that if the computer fails dramatically, the test data is preserved.
Advantages and Disadvantages of Fuzz Testing Advantages: • Bugs found using fuzz testing are sometimes severe, exploitable bugs that could be used by a real attacker. • Attackers can now use fuzz testing to find vulnerabilities before the developers do. • Fuzz testing enhances software security and software safety because it often finds odd oversights and defects which human testers would fail to find.
Advantages and Disadvantages of Fuzz Testing Disadvantages: • The main problem with fuzzing to find program faults is that it generally only finds very simple faults. • A primitive fuzzer may have poor code coverage. • Every fuzzer can be expected to find a different set of bugs.
Fuzz testing software There are many free software packages available on the internet as well as those which you may have to purchase. • Power Fuzzer (free, Open Source) • http://www.powerfuzzer.com/#documentation • Jbro Fuzz (free, open source) • http://peachfuzzer.com/WhatIsPeach • Peach Fuzzing Platform (free, open Source) http://peachfuzzer.com/WhatIsPeach And there are many more free Fuzz testing software packages
References http://en.wikipedia.org/wiki/Fuzz_testing http://www.powerfuzzer.com/#documentation http://www.zerodayscan.com/ http://sourceforge.net/projects/jbrofuzz/