Loading

Fuzz Testing


What is meant by the Fuzz Testing?

It may be seem as a form of security & black-box testing where a tester tries to break into the system with the help of random data values i.e. fuzz. In this methodology, generally coding errors & security vulnerabilities are explored through feeding randomly invalid or unexpected data input to the system or software application It may be seen as an automated or semi-automated process, where significant defects, mainly security gaps and crashes, potential memory leaks, etc. are revealed so as to fix them.

The basic objective to carry out fuzz testing is to bang the system with the large quantity of corrupted data to produce errors & defects, which are waiting to get discover so that they may be corrected, accordingly.

Strategy to follow

The basic approach to perform fuzz testing over software product, consists the involvement of following activities:

  • Identifying the target system.
  • Identifying the inputs.
  • Generating Fuzz Data
  • Execution using Fuzz Data.
  • Observing the behaviour of the system.
  • Logging defects.

Further, it may be performed either manually or by making use of automated tools. However, it is preferable to approach automation for effective results.

Techniques

This type of testing may be carried out using any of the following methods:

  • Mutation based Fuzzers: This involves the alteration of the existing and available input data to generate the new test data.
  • Generation based Fuzzers: In this technique, new test data is designed & prepared based on the inputs of the model.
  • Protocol based Fuzzers: It is an efficient technique, where new test data is being designed and prepared based on the knowledge of the protocol format to be tested. It generally, involves writing the specification in an array form into the tool and thereafter based on the specification, adding distortion or flaws in the input data, pattern, series, etc.

Types of defects, explored by Fuzzy testing

This testing technique is useful in discovering following types of defects:

  • Assertion Failure or Memory Leaks: Bugs or defects, which are responsible for hampering the safety of the memory.
  • Invalid Input: Defects arises from the invalid inputs, and are being responsible for the "error handling" feature of the software product.
  • Correctness Bug: It may include corrupted database, poor search results, etc.

Advantages

  • Enhances the job of security testing.
  • Explore severe defects, which are left invisible, and could not be explored, even by the test cases designed and prepared, by an expert tester.
  • Ensure the coverage of all possible negative scenarios for the software product.

Disadvantages

  • Absence of proper planning, along with the non availability of specific exist criteria.
  • Requires significant amount of time, for its effective execution.
  • Alone, it is incapable to cover all possible security vulnerabilities and defects, present in the software product.

Tools

Some of the popular tools, available in the market, for carrying out the task of fuzzy testing, may be seen as under:

  • Peach Fuzzing Platform
  • Radamsa - a flock of fuzzers
  • Microsoft SDL MiniFuzz File Fuzzer
  • Untidy - XML Fuzzer
  • Microsoft SDL Regex Fuzzer
  • ABNF Fuzzer
  • The fuzzing mailing list
  • Webscarab
  • OWASPWSFuzzer