3

How can I fuzz standalone applications because I can't seem to wrap my head around how a fuzzer can "feed" fuzz data to a standalone application.

Most online resources use web servers as examples. The other resources give examples like opening a file with an extremely long name. my question is are there any tutorials on how one may fuzz a given software other than sending overlong get requests or opening files with long name? I'm mainly a web app pentester and I know that usually javascript limitations can be overcome by using a proxy, intercepting the request, modifying request and sending it along it's way. Is there a way to do this for binary software? what other vectors are there?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
han
  • 41
  • 2
  • You want to do application (not web) fuzz testing and want to learn how? Fuzz testing requires an external input, and filenames tend to be the most common vector for that in applications, and web apps have multiple possible external inputs, as you know. – schroeder Mar 26 '12 at 19:24

1 Answers1

3

If you are asking how to fuzz-test a web application, many black-box automated web pentesting tools will already perform this. Rather than sending in randomly generated inputs, they usually send in inputs that have been carefully crafted to be likely to expose certain kinds of vulnerabilities.

If you are doing fuzzing of a web application by hand, see also fuzzdb, a database of sample inputs that have been chosen to try to expose certain common vulnerabilities.

If you are looking for a tutorial on how to do pen-testing of a web application, you should probably ask that question separately. There are many, many books on the subject, and some material on this site. See, e.g., Books about Penetration Testing, Where can I find a solid BURP tutorial?, etc.

If you are looking for a tutorial on fuzzing of standalone applications, let us know. There are many tools, tutorials, and books available.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572