Your SlideShare is downloading. ×
  • Like
Perform fuzz on appplications web interface
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Perform fuzz on appplications web interface


Session Presented at 2nd Conference On Software Quality held on 25-26 March 2011 in Pune, India. WEB:

Session Presented at 2nd Conference On Software Quality held on 25-26 March 2011 in Pune, India. WEB:

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. “ PerformFuzz” On Application’s Web Interface. Aniket Kulkarni Symantec , India.
  • 2. Agenda
    • Brief Overview.
    • Performance Testing, Fuzzing & Fuzzer.
    • What Can Be Fuzzed & Common Defects ?
    • What Is PerformFuzz ?
    • PacketPort Fuzzing.
    • How Fuzzing Degrades Performance ?
    • View Of Original & Malicious Packets.
  • 3. Agenda Contd..
    • Impact On 3 rd Party Components.
    • Case Study & Crash Analysis.
    • Best Practices To Avoid such Potholes.
    • References.
  • 4. Brief Overview.
    • Focus On “Performance & Security”.
    • Its attack, that affects application’s “Performance & Availability”.
    • Security Test technique is, “Fuzzing” .
    • Target is, Application's Web interface.
    • Performance + Fuzzing = “PerformFuzz” .
  • 5. What Is Performance Testing ?
    • System check for Responsiveness, Throughput and Scalability, under given workload.
    • Outcome helps to decide: Production readiness, Evaluation of application against performance, Finding root cause of performance issues.
  • 6. What’s Fuzzing &What Can Be Fuzzed ?
    • Its technique to inject, random bad data into an application to see what breaks!
    • Any type of application inputs can be fuzzed: N/W Protocols, Files, GUI, Inter Process communication etc etc
    • Note : Aiming to fuzz application’s web interface, we will consider network protocolport fuzzing only, for current topic.
  • 7.
    • Fuzzer is just a tool, that generates gibberish data.
    • Few fuzzers available are: SPIKE, PEACH, DFUZ, GPF(General Purpose Fuzzer) & SULLEY
    What Is Fuzzer ? Fuzzer Input File File File File File File Software Application Original Input
  • 8. Common Defects By Fuzzing.
    • Buffer Overflow.
    • Integer Overflow.
    • Invalid Memory Reference.
    • Infinite Loop.
    • 3 rd Party components May Sit, Compromising Application.
    • Degraded Performance Of Web Interface (DoER)
    • In quotes, it gives crash (Termed as DoS, Denial Of Service), if analyzed in-depth, one of above is detected.
  • 9. So, what’s PerformFuzz?
    • It’s a Packet Fuzzing.
    • Increasing “Render Response Time” Applying Multiple Fuzzing Instances is PerformFuzz.
    • Causes “DoER” & “DoS”.
    • Note: O nce attacker successfully slow down the performance, its key achievement for him to get confident of next stage, that it’s going to be a definite, crash!
  • 10. How PacketPort Fuzzing Is Done ?
    • Way-1: Trapping valid packets, detecting magic strings, modifying those and resending to respected target.
    • Way-2: Bombarding malicious packets automatically to respected target.
  • 11. But, How Performance Degrades ?
    • Defensive Security Talk, Need To Research Attacks & Then Mitigation.
    • Opting Way-2: Automated Bombarding.
    • Application Response With Single Fuzzing Instance.
    • Craft Instances, Till “Render Response Time” Is Increased.
    • Once Render Response Time Is Caught, Performance Is Tuned Negatively By Just Up & Down Of These instances.
  • 12. View: Ideal & Malicious Packet.
    • Ideal Network Packet.
    • Malicious Network Packet.
  • 13. Impact On 3 rd Party Components.
    • Fuzzing target is http://ip address: port no/
    • Sometimes, web server get’s impacted.
    • Next is our own application.
    • Among “CIA”: A ( Availability ) of an application is hampered 100%
  • 14. Case Study & Crash Analysis.
    • Description:
    • Fuzzing was performed by, sending random packets to the port , on which “ABC” server was listening. Multiple network fuzzers were made to send random packets to the port simultaneously. It was observed degraded performance of application, increasing its render response time. Finally a crash was observed in JVM, bringing down tomcat, due to the race condition in JVM threads. The crash has been reproduced multiple times upto J6U21, which was latest java update when this was encountered for first time.
    • Crash Analysis!
  • 15. Best Practices To Avoid Such Issues.
    • Server Side Validation.
    • Latest OS & Application Vendor Patches.
    • Run Firewall & Intrusion Detectors.
    • Big Fish Have Implemented “CAPTCHA”
  • 16. What’s Out From This Presentation?
    • DoER.
    • DoS.
    • Importance Of 3 rd Party Components.
    • Might Be A Small Test, Under your Performance & Security Test Strategy.
  • 17. Question To think ?
      • Is This Going to Hamper Cloud Clients ?
      • Anyway’s, That’s Under Research With Us, Let’s see What We Bring Up Next.
  • 18. Reference.
  • 19. Questions
    • ?
  • 20. The End.
    • Thank You!
    • Aniket Kulkarni ,
    • Product Security Group, Symantec.
    • [email_address]