Book description
Fuzzing is often described as a “black box software testing technique. It works by automatically feeding a program multiple input iterations in an attempt to trigger an internal error indicative of a bug, and potentially crash it. Such program errors and crashes are indicative of the existence of a security vulnerability, which can later be researched and fixed.Fuzz testing is now making a transition from a hacker-grown tool to a commercial-grade product. There are many different types of applications that can be fuzzed, many different ways they can be fuzzed, and a variety of different problems that can be uncovered. There are also problems that arise during fuzzing; when is enough enough? These issues and many others are fully explored.
- Fuzzing is a fast-growing field with increasing commercial interest (7 vendors unveiled fuzzing products last year).
- Vendors today are looking for solutions to the ever increasing threat of vulnerabilities. Fuzzing looks for these vulnerabilities automatically, before they are known, and eliminates them before release.
- Software developers face an increasing demand to produce secure applications---and they are looking for any information to help them do that.
Table of contents
- Copyright
- Contributing Authors
- 1. Introduction to Vulnerability Research
- 2. Fuzzing—What’s That?
- 3. Building a Fuzzing Environment
-
4. Open Source Fuzzing Tools
-
Introduction
-
Frameworks
- Peach Fuzzer—http://peachfuzz.sourceforge.net/
- (L)ibrary (E)xploit API – lxapi—http://lxapi.sourceforge.net/
- Autodafe—http://autodafe.sourceforge.net/
- RIOT and faultmon—http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip
- Scratch—http://packetstormsecurity.org/UNIX/misc/scratch.rar
- antiparser—http://antiparser.sourceforge.net/
- dfuz—www.genexx.org/dfuz/
-
Special-Purpose Tools
- fuzz—http://pages.cs.wisc.edu/~bart/fuzz/fuzz.html
- SPIKE Proxy—www.immunitysec.com/resources-freesoftware.shtml (Web applications)
- AxMan—www.metasploit.com/users/hdm/tools/axman/ (ActiveX)
- Mangle—http://lcamtuf.coredump.cx/ - HTML file fuzzer
- screamingCobra—http://samy.pl/scobra/README.txt (Web applications)
- WebFuzzer—http://gunzip.altervista.org/g.php?f=projects#webfuzzer (Web applications)
- ip6sic—http://ip6sic.sourceforge.net/
- BlueTooth Stack Smasher (BSS)—www.secuobs.com/news/05022006-bluetooth10.shtml
- Radius Fuzzer—www.suse.de/~thomas/projects/radius-fuzzer/
- COMRaider—http://labs.idefense.com/software/fuzzing.php
- fuzzball2—www.nologin.net/main.pl?action=codeView&codeId=54&
-
General-Purpose Tools
- TAOF—www.theartoffuzzing.com/joomla/index.php?option=com_content&task=view&id=16&Itemid=35
- SPIKE—www.immunitysec.com/resources-freesoftware.shtml
- FileFuzz—http://labs.idefense.com/software/fuzzing.php
- SPIKEFile—http://labs.idefense.com/software/fuzzing.php
- notSPIKEFile—http://labs.idefense.com/software/fuzzing.php
- eFuzz—http://packetstormsecurity.org/Win2k/efuzz01.zip
- Blackops Fuzzing Tools—www.blackops.cn/tools/
-
Frameworks
-
Introduction
- 5. Commercial Fuzzing Solutions
-
6. Build Your Own Fuzzer
- Hold Your Horses
-
Fuzzer Building Blocks
- One or More Valid Data Sets
- Understanding What Each Byte in the Data Set Means
- Change the Values of the Data Sets While Maintaining the Integrity of the Data Being Sent
- Recreate the Same Malformed Data Set Time and Time Again
- An Arsenal of Malformed Values, or the Ability to Create a Variety of Malformed Outputs
- Maintain a Form of a State Machine
- Summarize
- Down to Business
- Simplest Fuzz Testing Find Issues
-
7. Integration of Fuzzing in the Development Cycle
- Introduction
- Why Is Fuzzing Important to Include in a Software Development Cycle?
- Setting Expectations for Fuzzers in a Software Development Lifecycle
- Setting the Plan for Implementing Fuzzers into a Software Development Lifecycle
- Understanding How to Increase Effectiveness of Fuzzers, and Avoiding Any Big Gotchas
- Summary
-
Solutions Fast Track
- Why Is Fuzzing Important to Include in a Software Development Cycle?
- Setting Expectations for Fuzzers in a Software Development Lifecycle
- Setting the Plan for Implementing Fuzzers into a Software Development Lifecycle
- Understanding How to Increase Effectiveness of Fuzzers, and Avoiding any Big Gotchas
- Frequently Asked Questions
-
8. Standardization and Certification
- Fuzzing and the Corporate Environment
- Software Security Testing, the Challenges
- Testing for Security
- 9. What Is a File?
- 10. Code Coverage and Fuzzing
Product information
- Title: Open Source Fuzzing Tools
- Author(s):
- Release date: April 2011
- Publisher(s): Syngress
- ISBN: 9780080555614
You might also like
book
Fuzzing: Brute Force Vulnerability Discovery
FUZZING Master One of Today’s Most Powerful Techniques for Revealing Security Flaws! Fuzzing has evolved into …
book
Visual Studio Code Distilled: Evolved Code Editing for Windows, macOS, and Linux
Use Visual Studio Code to write and debug code quickly and efficiently on any platform, for …
book
Reverse Engineering Code with IDA Pro
If you want to master the art and science of reverse engineering code with IDA Pro …
book
Metasploit
"The best guide to the Metasploit Framework."HD Moore, Founder of the Metasploit Project The Metasploit Framework …