Fuzz - 5.0 - Fuzzing targets

I have an app, but what to fuzz

Generally, we can try to fuzz it via the each accept inputs including the follows:

  • Env variables
  • Arguments
  • File content, formats
  • User app inputs
  • Meta data
  • Delimiters
  • Weired inputs
  • Captions
  • Encoding chars
  • Network protocols

In conclude, enum all accept inputs from users, prioritize the usage frequency to fuzz it.

Generating fuzzed data

For each input, define control cases, normal cases & edge cases before fuzzing.

Considering we have an integer input:

Normal case:

  • Value

  • 32 bit int

  • 0 to 2^32-1 or -2^31 to 2^31-1

  • short

  • 0 to 2^16-1 or -2^15 to 2^15-1

  • byte

  • 0 to 2^8-1 or -2^7 to 2^7-1

  • usage

  • Fuzz random values within the accepted range

  • It should be as expected for possive results

  • We are looking for false positive here

Control case:

  • value

  • Few cases from normal case

  • Usage

  • Used for comparison for strange behavior

  • Let you know what is an unaccepted value and crashable value

Edge case:

  • value

  • 2^32-1 or -2^31 or 2^31-1 or 2^32

  • 2^16-1 or -2^15 or 2^15-1 or 2^16

  • 2^8-1 or 2^7 or 2^7-1 or 2^8 or 2^7-2

  • non int val

  • weird charset like \x00, \x0d, \x0a etc

  • usage

  • Try to break the app from here

  • It should be crashed in edge cases or behave as it is

  • We are looking for negative results here

Considering we have a string input:

Normal case:

  • 0 to 255 char

Control case:

  • few cases from normal case

Edge case:

  • null

  • \x00, \x0d, \x0a

  • “A”*256

  • While True: send(“A”*loopcount) until its blows

  • classic buffer overflow

  • by submitting it with case changed

  • by not submitting it

  • by submitting it twice or third

  • by submitting a utf-16 char

Considering we have an delimiter input:

Normal case:

  • !@#$%^&*() or as it expected

Control case:

  • few cases from normal case

Edge case:

  • repeat requested delimiters

  • example: by submitting extra : we may be able to poison the \etc\passwd table like this root:::::::::password

  • null byte or null hex

  • again, \x00, \x0d, \x0a

  • “A”256

  • int, floating number

  • by not submitting it

  • by submitting it twice or third

Conclusion

The key is trying to make your app crash.

If you find anything different than the control case, you should take sometime to look at it.