Why fuzzing tools should be part of your security toolkit

Fuzzing is a software security testing technique that automatically provides invalid and random input to an application to expose bugs. The goal of fuzzing is to stress the application to cause unexpected behavior, crashes, or resource leaks. It allows us, as developers, to understand the behavior and vulnerability of applications more comprehensively. We use fuzzing tools, referred to as fuzzers, to perform this kind of testing. A fuzzer is an application that produces randomized inputs directed at the target software.

Fuzzing is a term created in the 1980s by Professor Barton Miller while he investigated what was causing his UNIX system to fail. He had his students bombard his Unix system with automatically generated data to understand better what was causing the failure.

How to improve security with fuzzing tools

To understand how fuzzing tools improve security, let’s explore the benefits of fuzzing, discuss some use cases for fuzzing, and review an example of how fuzzing would work in a real-world test. 

Benefits of fuzzing

Fuzzing offers us a wide range of benefits, including those listed below:

• Fuzz testing our application’s security early on helps prevent zero-day exploits where hackers rely on unidentified vulnerabilities. Fuzzing’s multidimensional approach helps identify bugs that hackers can exploit that we would otherwise not easily detect. Such bugs include missing data encryption, broken algorithms, and lack of input validation, among others.

• It has a low overhead cost in time and money because it doesn’t require human intervention once it's up and running.

• A fuzzer can help identify edge cases that manual testing would be unable to uncover.

• In addition to identifying the problem, it also gives a detailed report of how a hacker could exploit a vulnerability.

Fuzzing use cases

You can fuzz test separate individual application components. Outlined below are some fuzzing use cases.

Web application fuzzing

Web application fuzzing exposes bugs that could make our web apps vulnerable to common attacks such as SQL injection (https://learn.snyk.io/lessons/sql-injection/javascript/) and cross-site request forgery (CSRF) (https://learn.snyk.io/lessons/csrf-attack/javascript/). When fuzzing our web applications, the test feeds the endpoints with randomized data, which reveals bugs within the app. Fixing the flagged bugs increases an application's security posture. For instance, fuzzing can help you identify the pages where you need to add front-end input validation to make the server side more secure.

API fuzzing

API fuzzing exposes database access vulnerabilities. Some of those vulnerabilities include password exposures and a lack of parameter validation. API fuzzing allows us to control better how the API interacts with the backend servers. We can, for instance, use it to test if a payment API validates credit card numbers and authorization signatures correctly.

URL fuzzing

We can use URL fuzzing to discover hidden files and directories on a web server. It exposes files and directories that we should have hidden but is publicly accessible. This helps secure the files and directories on the web server from unauthorized access. URL fuzzing can help prevent the exposure of sensitive information, such as database credentials and query formats, which a hacker can use to create forged requests in a CSRF attack.

Protocol fuzzing

Protocol fuzzing works by sending forged packets to an application to find bugs in its implementation. For instance, if a fuzzer knows the length of a message, it can increase it to see how the application handles such a request.

File format fuzzing

File format fuzzing is a simple and direct process. It works by mutating a legitimate file sample and opening the mutated versions in the target application to cause a crash. File format fuzzing exposes bugs that can cause a system to crash by highlighting areas where we can add more control to the types of files an application can open, which increases the security and stability of an application. This can be used to prevent crashes in applications that require uploading and opening scanned documents in specified formats such as JPEG, PNG, and PDF.

Limitations of fuzz testing tools

Although fuzz testing tools are relatively effective, they have a few shortcomings:

• Using fuzz testing tools alone cannot guarantee comprehensive security for an application.

• They aren’t very effective at detecting threats that aren’t those that cause application crashes.

• It takes them quite a lot of time to complete a testing exercise.

• They can’t identify complex faults and threats.

Fuzzing versus Snyk vulnerability scanners

Fuzzing is essential for improving an application's security posture, but it’s not fully effective on its own. This is because it can only find bugs associated with applications’ endpoints.

To fuzzy test an application, we must configure the fuzzer and give it enough time to complete the fuzzing process. The time this takes slows down the development process and increases the time to market for new applications.

However, that's not enough in today’s world of continuous development and continuous delivery (CI/CD). You must monitor your application for vulnerabilities right from the code writing stage. Snyk continuously scans for vulnerabilities in your code, the Git pull requests, and containers. You can also add it to a CI/CD pipeline to ensure continuous vulnerability scanning throughout an application’s lifecycle.

Another feature of Snyk’s vulnerability scanners is its actionable fix advice. This allows you to fix some flagged implementations in just a few clicks.

An example of fuzzing

To understand how, when, and why we’d use fuzzing, let’s consider the following example.

Let’s say we’ve just launched an online meal delivery service that can be found at HealthyTastyMeals.com. During the development process, we’ve tested every feature several times and asked friends and colleagues to try using the app to test its usability.

However, all the tests we’ve performed are focused on making requests and inputting values that follow the expected format. So how do we prepare for the unexpected?

If we want to understand how our website will behave when bombarded with unexpected inputs, we need to fuzz test it. Since our website uses REST APIs, we can use the fuzzing tool RESTler. This is an open source fuzzing tool for REST APIs.

We’ll run RESTler in “Fuzz” mode because we only have a few endpoints, and it’s easy to execute. The test will execute on each of our web app endpoints to find bugs. The test will feed these endpoints with different parameter combinations and request sequences.

Each time a bug is found, RESTler will print out an overview of the type of bug found on the console.

Some of the vulnerabilities our test might reveal include those listed below.

Insecure parameter combinations

REST APIs carry different parameters, such as request URIs, request methods, and query parameters. These parameters can take different combinations that need testing to avoid erroneous program states. Fuzzing can help us identify insecure parameter combinations, which we can remediate by adding validation for all query parameters and limiting the parameters required to only what’s necessary.

Query parameters that lack a validation mechanism

Adding strong input validation on the client and server sides increases an application’s security posture. A fuzzing tool like RESTler would allow us to identify this issue in our application. We can remediate this security concern by adding strong input validation on the client and server sides. Validation on the client side will prevent the server from overloading invalid data. Server-side validation ensures that the server is only processing valid requests. Rectifying this issue helps mitigate the risk of a denial of service (DoS) attack.

Unprotected passwords

RESTler also flags password parameters lacking hashing. We can resolve this by using a hashing algorithm. Some of the available algorithms include bcrypt and PBKDF2, among others. Rectifying this vulnerability makes it hard for hackers to take over a system. That’s because even if they gain access to the system, they still wouldn’t be able to access the passwords.

Our top 5 fuzzing tools

There are many open source fuzzing tools available on the market. Below are five free, effective fuzzing tools that we can easily use to make our applications more secure.

1. OSS-Fuzz

OSS-Fuzz is an open source fuzzing tool developed by Google. It combines modern fuzzing techniques with scalable, distributed execution. Google created it to make open source software secure and stable. OSS-Fuzz works by continuously fuzzing the target program.

2. ClusterFuzz

ClusterFuzz is an open source, scalable infrastructure that exposes security vulnerabilities and stability issues. Google uses it to check for bugs in their Chrome browser. Unlike OSS-Fuzz, ClusterFuzz can work with any application, not just open source ones. It’s highly scalable and can run on a cluster of any size.

3. go-fuzz

go-fuzz is an open source fuzzer for testing Golang Packages. It focuses on packages with complex inputs, which are an attractive target for malicious attackers. This is an essential tool for those who want to harden the security of input parsing Go programs. Unlike the two fuzzers above, go-fuzz only works with Go packages.

4. Peach Fuzzer

Peach Fuzzer is a tool PeachTech developed, which GitLab later acquired. This tool is highly configurable and efficient for those who want customized tests. Unlike go-fuzz, we can configure this solution to work with any language. However, PeachTech no longer supports or updates this tool.

5. ffuf

ffuf is a free, fast web fuzzer written in Go. It’s a powerful solution that can rigorously test an application using unknown POST and GET requests. As developers, we interact with this tool using the command line because it has no interface.

Your security toolkit

Fuzzing is a software testing technique that involves feeding an application with invalid random inputs to expose bugs. When faced with unexpected inputs, it helps us understand an application’s or API’s behavior. There are many open source fuzzing tools built for specific test scenarios that are available to us. Fuzzers have a low overhead cost in time and money; they don’t just identify problems but also give a detailed report of how a hacker can exploit a vulnerability.

A properly executed fuzz test can help improve an application’s security posture by exposing vulnerabilities we can’t easily detect. Fuzzing can help uncover bugs, such as missing data encryption, broken algorithms, and lack of input validation. It can help identify problems that manual testing wouldn’t be able to find.

A fuzzer’s abilities help us prevent zero-day exploits where hackers rely on unidentified vulnerabilities. The results from fuzzing help mitigate security attacks such as CSRF, injection attacks, and denial of service (DOS), among others.