Fully Automated Fuzzing of Web Applications and Services

1. Fully Automated Fuzzing of Web Applications and Services By Skyler Onken

2. Table of Contents • Who am I? • What is Fuzzing? • Usual Targets • Techniques • Results • Limitations • Why Fuzz? • “Fuzzing the Web”? • Desired Solution • Solution • Enumeration Engine • Fuzzing Engine • Client • Demo • Remaining Issues • Future Improvements • Q/A

3. Who am I? • Skyler Onken • BYU-Idaho Student (CIT) • Contingent Staff w/ LDS Church (QA) • Penetration Tester w/ SecureGossipInitiative • Security Trainer @ BYU-Idaho Linux User Group • Security+, CEH, ECSA • http://securityreliks.securegossip.com

4. What is Fuzzing? • OWASP Definition: • “Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” http://www.owasp.org/index.php/Fuzzing

5. What is Fuzzing? • Wikipedia • “Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.” http://en.wikipedia.org/wiki/Fuzz_testing

6. What is Fuzzing? • Synonyms • Robustness Testing • Syntax Testing • Negative Testing • White-Noise Testing

7. Usual Targets • File Formats • Network Protocols • Trust Boundary Crossing Software • Desktop Applications • Client Software • Web Applications • Web Services

8. Techniques • Specification-based • Random data • PRNG • Bit flipping

9. Results • Crashes • Memory Leaks • Assertion Failures • Buffer (Stack and Heap based) Overflows • Parsing Errors

10. Limitations • Find simple bugs • Black-Box • Strong dependency on seed

11. Why Fuzz? • Another point of view of testing • If its automated, why not? • Recent Fuzzing Successses: • Apple Wireless flaw DoS (MOKB-30-11-2006) • Month of Browser Bugs: • IE: 25 • Safari: 2 • Firefox: 2 • Opera: 1 • Konquerer: 1

12. “Fuzzing the Web”? • Enumeration • Massively deep and expansive • Ajax Problem • Most elements can be bound to dynamic action • Results • Detecting errors is difficult beyond checking return code • Possibly use baselines?

13. “Fuzzing the Web”? • Rune Hammersland pioneered semi-automation • Join together enumeration and fuzzing • The AJAX problem • Frameworks exist, but lack functionality • Peach • Sulley • RFuzz • Some tools exist, but not automated • Spike • WSFuzz • JBroFuzz • Wfuzz

14. Desired Solution • Easily and Fully Automated • Web Applications and Services • Reproducible Errors • Easy Reporting • “Fire and Forget” • AJAX

15. Solution Server Client/Applet Enumeration engine Fuzzer

16. Enumeration Engine • Detects target type (app, soap, rest) • Will generate variations of enumerated test cases: • Crawljax (applications) • Implements Selenium Web Driver • Programmatically define HTML tags to exercise • http://my.webapp.here/func?var1=normalValue& var2=normalValue • SoapUI API (services) • Enumerates the WSDL/WADL for operations/resources

17. Enumeration Engine Crawler Web Application Fuzzer Test Cases SOAP

18. Fuzzing Engine • Modular • Enables intelligence • Utilizes RC4 • Reproducible • Handles requests and results • Results: != 200 • Output to file; Database pending.

19. Fuzzing Engine Fuzzing Engine Controller Module 1 Bad Chars Module 2 Module 3 Web Server

20. Client • Java Applet

21. Client

22. DEMO

23. Remaining Issues • JVM Memory • Seed • Captchas • Automated Analysis

24. Future Improvements • Smarter Fuzzing • Automated Analysis • REST • Dictionary Support • DB • http://code.google.com/p/fuzzops/

25. Any Questions?