In my training sessions for QA, Developers, and Project Managers I always love to take this up, as here is where QA guys can discover and developers can eradicate security flaws.

What is Fuzzing?

Fuzzing is sending a lot of malicious inputs in order to find a crash in the application. Finding a crash has a sort of verbosity. This verbosity can be a vulnerability in the application and henceforth, lead to a full-fledged exploit.

Usually, the fuzzing process is used in executables and binary such as ELF and PE but as per our process and methodology for penetration testing, we including fuzzing as a part of a process to make sure thorough security assessment is done and no card is left un-turned.

A simple methodology for QA:

Let us look into what methodology should be followed in order to conduct fuzzing against Web Applications and APIs.

  • Understand the functionality
  • Collect the entry points
  • Have right word-list and payload
  • Use burp suite intruder
  • Set right timeout limit
  • Set the number of threads
  • Set payload processor if required
  • Set response pattern match

Analyzing the results:

The possibility is you might not see any changes in the response, but if there are, you are lucky to find some sort of crash or something really interesting. How will know if there is any crash or interesting finding?

  • Check response length
  • Check status code
  • Check response headers
  • Analyze even if there are minor changes

What do you get?

Recently using fuzzing, we were able to discover 106 findings which include 12 critical and high-risk vulnerabilities in a single shot which was record-breaking in any of our penetration testing projects to date. 

Some of the payloads you can use and are really helpful at SecList and Payloads All The Thing.

 

Want to know more about it? Let's get connected - Linkedin. Happy hacking!