I have an app, but what to fuzz
Generally, we can try to fuzz it via the each accept inputs including the follows:
- Env variables
- Arguments
- File content, formats
- User app inputs
- Meta data
- Delimiters
- Weired inputs
- Captions
- Encoding chars
- Network protocols
In conclude, enum all accept inputs from users, prioritize the usage frequency to fuzz it.
Generating fuzzed data
For each input, define control cases, normal cases & edge cases before fuzzing.
Considering we have an integer input:
Normal case:
Value
32 bit int
0 to 2^32-1 or -2^31 to 2^31-1
short
0 to 2^16-1 or -2^15 to 2^15-1
byte
0 to 2^8-1 or -2^7 to 2^7-1
usage
Fuzz random values within the accepted range
It should be as expected for possive results
We are looking for
false positive
here
Control case:
value
Few cases from normal case
Usage
Used for comparison for strange behavior
Let you know what is an unaccepted value and crashable value
Edge case:
value
2^32-1 or -2^31 or 2^31-1 or 2^32
2^16-1 or -2^15 or 2^15-1 or 2^16
2^8-1 or 2^7 or 2^7-1 or 2^8 or 2^7-2
non int val
weird charset like
\x00
,\x0d
,\x0a
etcusage
Try to break the app from here
It should be crashed in edge cases or behave as it is
We are looking for
negative
results here
Considering we have a string input:
Normal case:
- 0 to 255
char
Control case:
- few cases from normal case
Edge case:
null
\x00
,\x0d
,\x0a
“A”*256
While True: send(“A”*loopcount) until its blows
by submitting it with case changed
by not submitting it
by submitting it twice or third
by submitting a
utf-16
char
Considering we have an delimiter input:
Normal case:
!@#$%^&*()
or as it expected
Control case:
- few cases from normal case
Edge case:
repeat requested delimiters
example: by submitting extra
:
we may be able to poison the\etc\passwd
table like thisroot:::::::::password
null byte or null hex
again,
\x00
,\x0d
,\x0a
“A”256
int, floating number
by not submitting it
by submitting it twice or third
Conclusion
The key is trying to make your app crash.
If you find anything different than the control case, you should take sometime to look at it.