Dark Reading

Fuzzing has traditionally been a popular tool for hackers searching for network-based vulnerabilities -- but not so much for Web applications. That soon could change, however, according to a Black Hat researcher who says fuzzing is even better suited for finding flaws in Web applications.

Michael Sutton, security evangelist for SPI Dynamics, this week at the Black Hat DC briefings in Arlington, Va., will release a free homegrown Web fuzzing tool that he developed, called Web Fuzz. Fuzzers are basically automated brute-force testing tools that send random or unexpected input in the form of a request or packet in order to detect vulnerabilities in applications.

The fact that the fuzzing process can be highly automated makes it a perfect fit for Web app developers, Sutton says, and Web apps have very structured ways of accepting user input.

Today's Web technology makes it especially simple to develop Web apps. That means fewer technical users are building these apps, too. "It would never be realistic that my Web developers would do reverse-engineering to find vulnerabilities. But it would be realistic for them to use a tool they are comfortable with like fuzzing during the development process," says Sutton, who will discuss Web app fuzzing in his "Smashing Web Apps: Applying Fuzzing to Web Applications and Web Services" session at Black Hat.

"The beauty of fuzzing is its simplicity," he says.

Web applications are wearing a big bull's eye lately for vulnerabilities -- about half of all vulnerabilities reported today are Web app-based ones, Sutton says. XSS, SQL injection, and php-file-include (all Web-related attacks) were the CVE's top three attack methods for 2006, Sutton notes. And because Web apps have very standardized ways of providing user input, you can exploit that for fuzzing purposes, he says. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

"Web apps are very well-geared for fuzzing."

But fuzzing won't solve Web application security troubles. "It's not a silver bullet. It has its limitations," Sutton says. "It's not going to find that complex vulnerability or that multi-stage attack."

It will make things easier on Web developers, however, who don't necessarily have vendors to fall back on when bugs arise in their apps. "You're totally on your own. You created the app, you created the vulnerability, and it's your responsibility to create the fix for it," Sutton says. "In the best case, you find it, and the worst case, someone else finds it externally... There's no global notification system [for these bugs]."

With a fuzzer, a Web services developer could then easily test her Web app before it goes live. "It used to be that you'd assemble the security team, and that was OK with network layer vulnerabilities, because they could find them and were empowered to fix them." You could throw up a firewall or IDS to plug a buffer overflow in an app, Sutton says.

"But in the Web app world, the security team isn't empowered to fix the holes. They can't just block off traffic. The only way to fix it is at the development side," he says. "And if we don't involve developers, they are going to make the same [security] mistakes over and over again."

It's the easy stuff that fuzzers can pinpoint, Sutton says. He calls it the "FUGGLE" phenomenon: Fuzzing Using Google Gets Low-Hanging Fruit Easily. "The power of fuzzing with Google is you can Google for sites that are going to be vulnerable to attack. Then you make a request for them using Google fuzzing to see if they could find indicators of what vulnerabilities" are there, he says.

Sutton says a combination of search engine queries and basic Web page requests can identify previously unknown vulnerabilities, so it would also be simple for phishers and spammers to use the same techniques to find their targets.

Meanwhile, Sutton says his Web Fuzz tool is not related to his company's testing tool that comes with built-in fuzzing, SPI Dynamics' WebInspect. OWASP also offers a free fuzzer, WSFuzzer, he notes. Aside from SPI Dynamics, Beyond Security and Mu Security are some other vendors who sell commercial fuzzing tools, he says. Researcher HD Moore also offers his AxMan ActiveX fuzzing tool for free. (See Free Fuzzing Tool Launched.)

— Kelly Jackson Higgins, Senior Editor, Dark Reading