SlideShare a Scribd company logo

The Mysterious Paradigm of Fuzzing by Rakesh Seal

null - The Open Security Community
null - The Open Security Community

The Mysterious Paradigm of Fuzzing by Rakesh Seal, at null/OWASP Kolkata Meetup on 09 December 2023

Technology
1 of 11
Download to read offline
Fuzz Them All The Mysterious Paradigm of Fuzzing
$ whoami Rakesh Seal ● R&D, Keysight (ATI Research) ● Network Security ● Embedded Systems (IoT) ● Full Stack Dev ● Automation Enthusiast ● 10+ Patent Publication ● Play DoTA 👾 rakeshseal0.github.io
Fuzzing 101 What? ● Automated SW Testing ● Unexpected Input ● Large Input ● Feedback Loop Why? ● Vulnerability Identification ● Software Reliability ● Saves Time (Reduces Panic 😇 ) ● Compliance
Fuzzing vs Brute Forcing Aspect Brute-Forcing (🔓) Fuzzing (🪲) Purpose To guess correct data To find vulnerabilities in software. Method Tries every possible combination systematically. Inputs random or malformed data. Target Authentication systems, encryption keys. Software applications, systems, protocols
Types of Fuzzing BlackBox ● No Input Knowledge ● High Level Testing ● Large Target Peach Fuzzer WhiteBox GreyBox ● In Depth Knowledge ● Low Level Testing ● Specific Target KLEE, SAGE ● Limited Knowledge ● Balanced Testing ● Focused Broad Target AFL, ClusterFuzz
Corpus, Instrumentation, Coverage Rakesh S
Enough Talk, Show me some Action !! https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/INSTALL.md https://github.com/mykter/afl-training https://github.com/antonio-morales/Fuzzing101
Where Do I use This Knowledge? ● web form ● API ● Authentication Webapps ❏ ZAPP ❏ WFuzz ● System Tools ● Libraries ● Firmware ● Device Drivers Binary ❏ AFL ❏ LibFuzzer Network ❏ Scapy ❏ Sulley Generic ❏ Peach ❏ Atheris ❏ go-fuzz ● TCP / IP ● L7 Protocols ● Communication ● Utility ● Scripts ● Backend Services
Real World Applications Independent Research 03 02 Google OSS-Fuzz ● 36,000+ bugs ● CVE-2016-5172 (Chrome), ● CVE-2017-3731 (OpenSSL), ● CVE-2018-20225 (LibreOffice) 01 Microsoft SLDC ● CVE-2020-0601 (Windows CryptoAPI) ● CVE-2019-0803 (Windows) ● CVE-2018-8174 (Internet Explorer) ● Heartbleed (CVE-2014-0160) ● Shellshock (CVE-2014-6271) ● BlueKeep (CVE-2019-0708) ● Linux Kernel (CVE-2014-0196)
RoadMap �� Fuzz Own Code Start With AFL �� Corpus, Coverage, Instrumentation �� Crash Analysis �� Other Fuzzers �� Start Hunting ��
References 1. http://en.wikipedia.org/wiki/Fuzz_testing 2. https://pages.cs.wisc.edu/~rist/642-fall-2012/toorcon.pdf 3. https://owasp.org/www-community/Fuzzing 4. https://www.youtube.com/watch?v=COHUWuLTbdk&t=774s&ab_channel=LiveOverflow “You won’t find any bugs in code you haven’t tested”

Recommended

6 Traits of a Successful Test Automation Architecture
6 Traits of a Successful Test Automation Architecture6 Traits of a Successful Test Automation Architecture
6 Traits of a Successful Test Automation ArchitectureErdem YILDIRIM
 
Secrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesSecrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesAlan Richardson
 
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Greg Bailey
 
Coding Dojo - Golden Master Technique - Approval Tests - Gilded Rose Kata-
Coding Dojo - Golden Master Technique - Approval Tests - Gilded Rose Kata-Coding Dojo - Golden Master Technique - Approval Tests - Gilded Rose Kata-
Coding Dojo - Golden Master Technique - Approval Tests - Gilded Rose Kata-Alin Pandichi
 
Testing strategies for legacy code
Testing strategies for legacy codeTesting strategies for legacy code
Testing strategies for legacy codeAlex Soto
 
Chapter 4 access control fundamental ii
Chapter 4 access control fundamental iiChapter 4 access control fundamental ii
Chapter 4 access control fundamental iiSyaiful Ahdan
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Working with Legacy Code
Working with Legacy CodeWorking with Legacy Code
Working with Legacy CodeEyal Golan
 

Recommended

6 Traits of a Successful Test Automation Architecture
6 Traits of a Successful Test Automation Architecture6 Traits of a Successful Test Automation Architecture
6 Traits of a Successful Test Automation ArchitectureErdem YILDIRIM
 
Secrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesSecrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesAlan Richardson
 
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Greg Bailey
 
Coding Dojo - Golden Master Technique - Approval Tests - Gilded Rose Kata-
Coding Dojo - Golden Master Technique - Approval Tests - Gilded Rose Kata-Coding Dojo - Golden Master Technique - Approval Tests - Gilded Rose Kata-
Coding Dojo - Golden Master Technique - Approval Tests - Gilded Rose Kata-Alin Pandichi
 
Testing strategies for legacy code
Testing strategies for legacy codeTesting strategies for legacy code
Testing strategies for legacy codeAlex Soto
 
Chapter 4 access control fundamental ii
Chapter 4 access control fundamental iiChapter 4 access control fundamental ii
Chapter 4 access control fundamental iiSyaiful Ahdan
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Working with Legacy Code
Working with Legacy CodeWorking with Legacy Code
Working with Legacy CodeEyal Golan
 
Unit Testing like a Pro - The Circle of Purity
Unit Testing like a Pro - The Circle of PurityUnit Testing like a Pro - The Circle of Purity
Unit Testing like a Pro - The Circle of PurityVictor Rentea
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within AgileNetlight Consulting
 
Tdd in practice
Tdd in practiceTdd in practice
Tdd in practiceAndrew Meredith
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Ha(Attackers) Exposed
Ha(Attackers) ExposedHa(Attackers) Exposed
Ha(Attackers) ExposedEugene Tawiah
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxidsecconf
 
Agile Days Twin Cities 2011
Agile Days Twin Cities 2011Agile Days Twin Cities 2011
Agile Days Twin Cities 2011Brian Repko
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsChase Schultz
 
Mobile Development - Unit and Automation Testing
Mobile Development - Unit and Automation TestingMobile Development - Unit and Automation Testing
Mobile Development - Unit and Automation TestingManuel Vicente Vivo
 
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy toolGattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy toolSlawomir Jasek
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Jason Broz, CIPP/US
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationObika Gellineau
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomnessAleksandr Yampolskiy
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyJoshua McDougall
 
Why just fake it
Why just fake itWhy just fake it
Why just fake itdanstroh
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxnull - The Open Security Community
 

More Related Content

Similar to The Mysterious Paradigm of Fuzzing by Rakesh Seal

Unit Testing like a Pro - The Circle of Purity
Unit Testing like a Pro - The Circle of PurityUnit Testing like a Pro - The Circle of Purity
Unit Testing like a Pro - The Circle of PurityVictor Rentea
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within AgileNetlight Consulting
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Ha(Attackers) Exposed
Ha(Attackers) ExposedHa(Attackers) Exposed
Ha(Attackers) ExposedEugene Tawiah
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxidsecconf
 
Agile Days Twin Cities 2011
Agile Days Twin Cities 2011Agile Days Twin Cities 2011
Agile Days Twin Cities 2011Brian Repko
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsChase Schultz
 
Mobile Development - Unit and Automation Testing
Mobile Development - Unit and Automation TestingMobile Development - Unit and Automation Testing
Mobile Development - Unit and Automation TestingManuel Vicente Vivo
 
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy toolGattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy toolSlawomir Jasek
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Jason Broz, CIPP/US
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationObika Gellineau
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyJoshua McDougall
 
Why just fake it
Why just fake itWhy just fake it
Why just fake itdanstroh
 

Similar to The Mysterious Paradigm of Fuzzing by Rakesh Seal (20)

Unit Testing like a Pro - The Circle of Purity
Unit Testing like a Pro - The Circle of PurityUnit Testing like a Pro - The Circle of Purity
Unit Testing like a Pro - The Circle of Purity
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within Agile
 
Tdd in practice
Tdd in practiceTdd in practice
Tdd in practice
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
 
Ha(Attackers) Exposed
Ha(Attackers) ExposedHa(Attackers) Exposed
Ha(Attackers) Exposed
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
 
Agile Days Twin Cities 2011
Agile Days Twin Cities 2011Agile Days Twin Cities 2011
Agile Days Twin Cities 2011
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of Things
 
Mobile Development - Unit and Automation Testing
Mobile Development - Unit and Automation TestingMobile Development - Unit and Automation Testing
Mobile Development - Unit and Automation Testing
 
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy toolGattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation Ceremony
 
Why just fake it
Why just fake itWhy just fake it
Why just fake it
 

More from null - The Open Security Community

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdf
Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdfImmutable Desktop using Container Orchestration By Mohammed Danish Amber .pdf
Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdfnull - The Open Security Community
 
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdf
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdfDigital Personal Data Protection Act 2023 by S Ramakrishnan.pdf
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdfnull - The Open Security Community
 
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...null - The Open Security Community
 
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptx
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptxReverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptx
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptxnull - The Open Security Community
 
Get Started with Cyber Security and Its Landscape Null Community Presentation...
Get Started with Cyber Security and Its Landscape Null Community Presentation...Get Started with Cyber Security and Its Landscape Null Community Presentation...
Get Started with Cyber Security and Its Landscape Null Community Presentation...null - The Open Security Community
 
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptxDemystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptxnull - The Open Security Community
 

More from null - The Open Security Community (18)

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Hardware-Hacking-101 By Asutosh Kumar.pdf
Hardware-Hacking-101 By Asutosh Kumar.pdfHardware-Hacking-101 By Asutosh Kumar.pdf
Hardware-Hacking-101 By Asutosh Kumar.pdf
 
Demystifying-DNS-Attack-by-Rakesh Seal.pdf
Demystifying-DNS-Attack-by-Rakesh Seal.pdfDemystifying-DNS-Attack-by-Rakesh Seal.pdf
Demystifying-DNS-Attack-by-Rakesh Seal.pdf
 
Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdf
Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdfImmutable Desktop using Container Orchestration By Mohammed Danish Amber .pdf
Immutable Desktop using Container Orchestration By Mohammed Danish Amber .pdf
 
Recon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdfRecon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdf
 
A talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda TamlyA talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda Tamly
 
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdf
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdfDigital Personal Data Protection Act 2023 by S Ramakrishnan.pdf
Digital Personal Data Protection Act 2023 by S Ramakrishnan.pdf
 
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...
Beyond Boundaries-The Power of Zero Trust Networking By Mohammed Danish Amber...
 
Cyber_Forensics_in_the_New_Age_of_Cyber_Security.pdf
Cyber_Forensics_in_the_New_Age_of_Cyber_Security.pdfCyber_Forensics_in_the_New_Age_of_Cyber_Security.pdf
Cyber_Forensics_in_the_New_Age_of_Cyber_Security.pdf
 
GSM-CallFlowAndSecurity Features (2G-3G-4G).pptx
GSM-CallFlowAndSecurity Features (2G-3G-4G).pptxGSM-CallFlowAndSecurity Features (2G-3G-4G).pptx
GSM-CallFlowAndSecurity Features (2G-3G-4G).pptx
 
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptx
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptxReverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptx
Reverse Engineering and It’s Basic by Prasenjit Kanti Paul.pptx
 
Get Started with Cyber Security and Its Landscape Null Community Presentation...
Get Started with Cyber Security and Its Landscape Null Community Presentation...Get Started with Cyber Security and Its Landscape Null Community Presentation...
Get Started with Cyber Security and Its Landscape Null Community Presentation...
 
Evolution of Hacking- Ronit Chakraborty .pptx
Evolution of Hacking- Ronit Chakraborty .pptxEvolution of Hacking- Ronit Chakraborty .pptx
Evolution of Hacking- Ronit Chakraborty .pptx
 
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptxDemystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
 
C&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptxC&C Framework- Ayan Saha.pptx
C&C Framework- Ayan Saha.pptx
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

The Mysterious Paradigm of Fuzzing by Rakesh Seal

  • 1. Fuzz Them All The Mysterious Paradigm of Fuzzing
  • 2. $ whoami Rakesh Seal ● R&D, Keysight (ATI Research) ● Network Security ● Embedded Systems (IoT) ● Full Stack Dev ● Automation Enthusiast ● 10+ Patent Publication ● Play DoTA 👾 rakeshseal0.github.io
  • 3. Fuzzing 101 What? ● Automated SW Testing ● Unexpected Input ● Large Input ● Feedback Loop Why? ● Vulnerability Identification ● Software Reliability ● Saves Time (Reduces Panic 😇 ) ● Compliance
  • 4. Fuzzing vs Brute Forcing Aspect Brute-Forcing (🔓) Fuzzing (🪲) Purpose To guess correct data To find vulnerabilities in software. Method Tries every possible combination systematically. Inputs random or malformed data. Target Authentication systems, encryption keys. Software applications, systems, protocols
  • 5. Types of Fuzzing BlackBox ● No Input Knowledge ● High Level Testing ● Large Target Peach Fuzzer WhiteBox GreyBox ● In Depth Knowledge ● Low Level Testing ● Specific Target KLEE, SAGE ● Limited Knowledge ● Balanced Testing ● Focused Broad Target AFL, ClusterFuzz
  • 7. Enough Talk, Show me some Action !! https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/INSTALL.md https://github.com/mykter/afl-training https://github.com/antonio-morales/Fuzzing101
  • 8. Where Do I use This Knowledge? ● web form ● API ● Authentication Webapps ❏ ZAPP ❏ WFuzz ● System Tools ● Libraries ● Firmware ● Device Drivers Binary ❏ AFL ❏ LibFuzzer Network ❏ Scapy ❏ Sulley Generic ❏ Peach ❏ Atheris ❏ go-fuzz ● TCP / IP ● L7 Protocols ● Communication ● Utility ● Scripts ● Backend Services
  • 9. Real World Applications Independent Research 03 02 Google OSS-Fuzz ● 36,000+ bugs ● CVE-2016-5172 (Chrome), ● CVE-2017-3731 (OpenSSL), ● CVE-2018-20225 (LibreOffice) 01 Microsoft SLDC ● CVE-2020-0601 (Windows CryptoAPI) ● CVE-2019-0803 (Windows) ● CVE-2018-8174 (Internet Explorer) ● Heartbleed (CVE-2014-0160) ● Shellshock (CVE-2014-6271) ● BlueKeep (CVE-2019-0708) ● Linux Kernel (CVE-2014-0196)
  • 10. RoadMap �� Fuzz Own Code Start With AFL �� Corpus, Coverage, Instrumentation �� Crash Analysis �� Other Fuzzers �� Start Hunting ��
  • 11. References 1. http://en.wikipedia.org/wiki/Fuzz_testing 2. https://pages.cs.wisc.edu/~rist/642-fall-2012/toorcon.pdf 3. https://owasp.org/www-community/Fuzzing 4. https://www.youtube.com/watch?v=COHUWuLTbdk&t=774s&ab_channel=LiveOverflow “You won’t find any bugs in code you haven’t tested”