• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Perform fuzz on appplications web interface
 

Perform fuzz on appplications web interface

on

  • 1,493 views

Session Presented at 2nd IndicThreads.com Conference On Software Quality held on 25-26 March 2011 in Pune, India. WEB: http://Q11.IndicThreads.com

Session Presented at 2nd IndicThreads.com Conference On Software Quality held on 25-26 March 2011 in Pune, India. WEB: http://Q11.IndicThreads.com

Statistics

Views

Total Views
1,493
Views on SlideShare
1,464
Embed Views
29

Actions

Likes
1
Downloads
13
Comments
0

1 Embed 29

http://q11.indicthreads.com 29

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Perform fuzz on appplications web interface Perform fuzz on appplications web interface Presentation Transcript

    • “ PerformFuzz” On Application’s Web Interface. Aniket Kulkarni Symantec , India.
    • Agenda
      • Brief Overview.
      • Performance Testing, Fuzzing & Fuzzer.
      • What Can Be Fuzzed & Common Defects ?
      • What Is PerformFuzz ?
      • PacketPort Fuzzing.
      • How Fuzzing Degrades Performance ?
      • View Of Original & Malicious Packets.
    • Agenda Contd..
      • Impact On 3 rd Party Components.
      • Case Study & Crash Analysis.
      • Best Practices To Avoid such Potholes.
      • References.
    • Brief Overview.
      • Focus On “Performance & Security”.
      • Its attack, that affects application’s “Performance & Availability”.
      • Security Test technique is, “Fuzzing” .
      • Target is, Application's Web interface.
      • Performance + Fuzzing = “PerformFuzz” .
    • What Is Performance Testing ?
      • System check for Responsiveness, Throughput and Scalability, under given workload.
      • Outcome helps to decide: Production readiness, Evaluation of application against performance, Finding root cause of performance issues.
    • What’s Fuzzing &What Can Be Fuzzed ?
      • Its technique to inject, random bad data into an application to see what breaks!
      • Any type of application inputs can be fuzzed: N/W Protocols, Files, GUI, Inter Process communication etc etc
      • Note : Aiming to fuzz application’s web interface, we will consider network protocolport fuzzing only, for current topic.
      • Fuzzer is just a tool, that generates gibberish data.
      • Few fuzzers available are: SPIKE, PEACH, DFUZ, GPF(General Purpose Fuzzer) & SULLEY
      What Is Fuzzer ? Fuzzer Input File File File File File File Software Application Original Input
    • Common Defects By Fuzzing.
      • Buffer Overflow.
      • Integer Overflow.
      • Invalid Memory Reference.
      • Infinite Loop.
      • 3 rd Party components May Sit, Compromising Application.
      • Degraded Performance Of Web Interface (DoER)
      • In quotes, it gives crash (Termed as DoS, Denial Of Service), if analyzed in-depth, one of above is detected.
    • So, what’s PerformFuzz?
      • It’s a Packet Fuzzing.
      • Increasing “Render Response Time” Applying Multiple Fuzzing Instances is PerformFuzz.
      • Causes “DoER” & “DoS”.
      • Note: O nce attacker successfully slow down the performance, its key achievement for him to get confident of next stage, that it’s going to be a definite, crash!
    • How PacketPort Fuzzing Is Done ?
      • Way-1: Trapping valid packets, detecting magic strings, modifying those and resending to respected target.
      • Way-2: Bombarding malicious packets automatically to respected target.
    • But, How Performance Degrades ?
      • Defensive Security Talk, Need To Research Attacks & Then Mitigation.
      • Opting Way-2: Automated Bombarding.
      • Application Response With Single Fuzzing Instance.
      • Craft Instances, Till “Render Response Time” Is Increased.
      • Once Render Response Time Is Caught, Performance Is Tuned Negatively By Just Up & Down Of These instances.
    • View: Ideal & Malicious Packet.
      • Ideal Network Packet.
      • Malicious Network Packet.
    • Impact On 3 rd Party Components.
      • Fuzzing target is http://ip address: port no/
      • Sometimes, web server get’s impacted.
      • Next is our own application.
      • Among “CIA”: A ( Availability ) of an application is hampered 100%
    • Case Study & Crash Analysis.
      • Description:
      • Fuzzing was performed by, sending random packets to the port , on which “ABC” server was listening. Multiple network fuzzers were made to send random packets to the port simultaneously. It was observed degraded performance of application, increasing its render response time. Finally a crash was observed in JVM, bringing down tomcat, due to the race condition in JVM threads. The crash has been reproduced multiple times upto J6U21, which was latest java update when this was encountered for first time.
      • Crash Analysis!
    • Best Practices To Avoid Such Issues.
      • Server Side Validation.
      • Latest OS & Application Vendor Patches.
      • Run Firewall & Intrusion Detectors.
      • Big Fish Have Implemented “CAPTCHA”
    • What’s Out From This Presentation?
      • DoER.
      • DoS.
      • Importance Of 3 rd Party Components.
      • Might Be A Small Test, Under your Performance & Security Test Strategy.
    • Question To think ?
        • Is This Going to Hamper Cloud Clients ?
        • Anyway’s, That’s Under Research With Us, Let’s see What We Bring Up Next.
    • Reference.
      • http://msdn.microsoft.com/en-us/library/bb924356.aspx
      • http://peachfuzzer.com/PeachInstallation
      • http://openmaniak.com/wireshark_tutorial.php
      • http://www.wireshark.org/download.html
      • http://resources.infosecinstitute.com/intro-to-fuzzing/
      • http://resources.infosecinstitute.com/fuzzer-automation-with-spike/
      • http://windbg.info/doc/1-common-cmds.html#7_symbols
    • Questions
      • ?
    • The End.
      • Thank You!
      • Aniket Kulkarni ,
      • Product Security Group, Symantec.
      • [email_address]