1

I'm trying to fuzz an application to make sure it is secure. The app does not have any UI and needs to be run via the cmdline:

app.exe myfile.xml

Also myfile.xml looks like this:

<Sample>
<FileLocations tmp_root="PathOfExeFile">
    <Directory path="DirOfExeFile">
        <File id="1" name="filenameonly" hash="filehash" msi_key="filenameonly" remove="1" />
    </Directory>
</FileLocations>
</Sample>

My question is: should I fuzz the file only (and basically try to pass random arguments to it), or should I always pass the same XML file (that I fuzz/edit in before hand)?

Anders
  • 64,406
  • 24
  • 178
  • 215
user2567674
  • 11
  • 2
  • Are you asking us to guess if those approaches make a difference? Maybe. If you try to fuzz, try fuzzing the argument handling as well. – Tobi Nary May 16 '16 at 11:46
  • ok makes sense thanks, any approach/tool you would recommend? – user2567674 May 16 '16 at 12:01
  • Since the application uses XML it would make more sense to test attacks against the XML-parser (like XXE, Billion Laughs Attack..), not randomly fuzzing a filename argument.. – Maximilian Gerhardt May 16 '16 at 12:47

1 Answers1

2

Since the time usable for fuzzing is limited it is best to fuzz first the parts which are likely to process possible dangerous input. I don't know the exact use case for the tool but I find it more likely that the XML files used as input can be controlled by an attacker than that the attacker can control the command line. Thus I would suggest you care about the XML first and if you then have still time you can fuzz the command line too.

Apart from that I would suggest to try more intelligent fuzzing instead of random input. Have a look at American Fuzzy Lop.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424