Fuzzing

Fuzzing is a fairly recent term for what pen testers (and testers in general) have been doing for years – feeding invalid data to a program/web page/etc and seeing what happens.

When you wrote your first C program that had to take command line arguments – did you ever mash on the keyboard and see what happens? You were fuzzing even if you didn’t know it at the time. The old Christmas tree packet in networking was a sort of fuzzing.

Fuzzing can get kinda boring though, so there are several tools that will help you with it. They work on various kinds of inputs – some are for networks, some are for web pages, some are for the HTTP protocol, etc. You can generally find a fuzzing tool that will help you out. It will (generally) randomly select text or numbers that fit a designated format. For example – you tell it that you want strings that have at least 1000 characters, and you want to send it to this particular URL. It’ll fire up, start making random selections and give you the results to look at. Some of the tools are also smart enough so that you can tell it what an acceptable response is, and when to notify you.

Fuzzers can take down systems – if only because of a DoS that you didn’t expect and anticipate – however, if the developers aren’t very good, it can segfault the target. Also be aware of the network bandwidth you may be consuming, it’s usually all text, but if you’re sending a lot of it, it can be a lot.