Your SlideShare is downloading. ×
Fuzzing - A Primer for Software Testers
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Fuzzing - A Primer for Software Testers

1,774

Published on

This presentation explores the world of fuzzing and is meant as an introductory presentation for developers/testers who know very little about this technique. …

This presentation explores the world of fuzzing and is meant as an introductory presentation for developers/testers who know very little about this technique.

I have also tried to make it as simple as possible for testers who have never explored anything in security testing.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,774
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. November 24, 2010 1 FUZZING A Primer for Software Testers Rahul Verma www.testingperspective.com
  • 2. Before We Get Started November 24, 2010
  • 3. ► If there has to be one lesson you can learn from me ► It’s not fuzzing ► It’s that a Tester’s goal is not to hurt a developer’s ego. A Tester collaborates with a developer. ► In the agile world, programmers and testers are both called developers. So, whose ego are you referring to?
  • 4. November 24, 2010 4 Agenda ► Introduction to Fuzzing ► How Fuzzing is relevant to testers ► Fuzzing Methodology ► Types of Fuzzing ► Further Steps ► References
  • 5. November 24, 2010 5 What is Fuzzing? Fuzzing is an automated testing technique wherein invalid / corrupt data is established via generation/mutation and published to the target software during which the target is monitored for a crash or hang which is then subjected to vulnerability analysis.
  • 6. November 24, 2010 6 How is fuzzing relevant to Testers? ► Alternatively, Why should YOU sit through this tutorial? ► A Black Box Testing Technique ► From Black to Gray – Better Fuzzing ► What Gets Reported ► Required Mindset Change ► Essentially Automated ► Fuzzing is not a replacement of any other forms of testing
  • 7. November 24, 2010 7 History / Research Work so Far ► Beginning as Academic Research ► Favorite of Security Researchers ► Part of SDLC at Software Companies ► Huge List of Open-Source and Commercial Fuzzers
  • 8. November 24, 2010 Set of All Possible tests and values
  • 9. November 24, 2010
  • 10. November 24, 2010
  • 11. November 24, 2010
  • 12. Testing “Did you mean…” November 24, 2010
  • 13. 13 11/24/2010 Fuzzing as Anti-Parsing 83 00 => 00 83 0000 0000 1000 0011 0000 0000 10 | 00 0011 Tag id: 0000 0000 10 = 2 Length: 000011 = 3
  • 14. November 24, 2010 14 TIGEMA Targets Inputs Generate Execute Monitor Analyze
  • 15. November 24, 2010 15 CLI Web Apps Network Apps Browser
  • 16. November 24, 2010 16 File Formats API Registry Environment Vars
  • 17. November 24, 2010 17 Fuzzing – Existing Tools and Frameworks ► Fuzzing Frameworks – SPIKE, Peach, Sulley ► File Fuzzing – FileFuzz, SpikeFile, NotSpikeFile ► Mangleme – Browser Fuzzing ► iFuzz – Command Line Fuzzing ► ShareFuzz – Environment Variables Fuzzing ► AxMan/COMRaider – ActiveX fuzzing ► WebScarab – Web Application Fuzzing and several other open source and commercial tools.
  • 18. November 24, 2010 18 Which Programming Language to Use? ► C / C++ ► Java ► Perl ► Ruby ► Python – The current favorite of security community
  • 19. November 24, 2010 19 References ► Fuzzing for Software Testing and Quality Assurance - Ari Takanen (Codenomicon CTO), Jared DeMott and Charlie Miller ► Fuzzing: Brute Force Vulnerability Discovery - Sutton Michael, Greene Adam, Amini Pedram: 2007 ► Peach Fuzzing Framework by Michael Eddington ► Eddington, Michael: 2008: Peach 2 Tutorial http://peachfuzzer.com/docs/Peach%202%20Tutorial.htm ► Wikipedia: Fuzz Testing http://en.wikipedia.org/wiki/Fuzz_testing ► OWASP: Fuzzing http://www.owasp.org/index.php/Fuzzing ► Fuzzing.org: Fuzzing Software http://www.fuzzing.org/fuzzing-software
  • 20. November 24, 2010 20 Send any offline queries to: rahul_verma@testingperspective.com www.testingperspective.com
  • 21. November 24, 2010 21 “I hear and I forget. I see and I remember . I do and I understand.” Confucious

×