Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 AM
Connect Directly

Here Comes the (Web) Fuzz

Black Hat researcher says fuzzing Web applications is the next big thing, will release free tool

Fuzzing has traditionally been a popular tool for hackers searching for network-based vulnerabilities -- but not so much for Web applications. That soon could change, however, according to a Black Hat researcher who says fuzzing is even better suited for finding flaws in Web applications.

Michael Sutton, security evangelist for SPI Dynamics, this week at the Black Hat DC briefings in Arlington, Va., will release a free homegrown Web fuzzing tool that he developed, called Web Fuzz. Fuzzers are basically automated brute-force testing tools that send random or unexpected input in the form of a request or packet in order to detect vulnerabilities in applications.

The fact that the fuzzing process can be highly automated makes it a perfect fit for Web app developers, Sutton says, and Web apps have very structured ways of accepting user input.

Today's Web technology makes it especially simple to develop Web apps. That means fewer technical users are building these apps, too. "It would never be realistic that my Web developers would do reverse-engineering to find vulnerabilities. But it would be realistic for them to use a tool they are comfortable with like fuzzing during the development process," says Sutton, who will discuss Web app fuzzing in his "Smashing Web Apps: Applying Fuzzing to Web Applications and Web Services" session at Black Hat.

"The beauty of fuzzing is its simplicity," he says.

Web applications are wearing a big bull's eye lately for vulnerabilities -- about half of all vulnerabilities reported today are Web app-based ones, Sutton says. XSS, SQL injection, and php-file-include (all Web-related attacks) were the CVE's top three attack methods for 2006, Sutton notes. And because Web apps have very standardized ways of providing user input, you can exploit that for fuzzing purposes, he says. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

"Web apps are very well-geared for fuzzing."

But fuzzing won't solve Web application security troubles. "It's not a silver bullet. It has its limitations," Sutton says. "It's not going to find that complex vulnerability or that multi-stage attack."

It will make things easier on Web developers, however, who don't necessarily have vendors to fall back on when bugs arise in their apps. "You're totally on your own. You created the app, you created the vulnerability, and it's your responsibility to create the fix for it," Sutton says. "In the best case, you find it, and the worst case, someone else finds it externally... There's no global notification system [for these bugs]."

With a fuzzer, a Web services developer could then easily test her Web app before it goes live. "It used to be that you'd assemble the security team, and that was OK with network layer vulnerabilities, because they could find them and were empowered to fix them." You could throw up a firewall or IDS to plug a buffer overflow in an app, Sutton says.

"But in the Web app world, the security team isn't empowered to fix the holes. They can't just block off traffic. The only way to fix it is at the development side," he says. "And if we don't involve developers, they are going to make the same [security] mistakes over and over again."

It's the easy stuff that fuzzers can pinpoint, Sutton says. He calls it the "FUGGLE" phenomenon: Fuzzing Using Google Gets Low-Hanging Fruit Easily. "The power of fuzzing with Google is you can Google for sites that are going to be vulnerable to attack. Then you make a request for them using Google fuzzing to see if they could find indicators of what vulnerabilities" are there, he says.

Sutton says a combination of search engine queries and basic Web page requests can identify previously unknown vulnerabilities, so it would also be simple for phishers and spammers to use the same techniques to find their targets.

Meanwhile, Sutton says his Web Fuzz tool is not related to his company's testing tool that comes with built-in fuzzing, SPI Dynamics' WebInspect. OWASP also offers a free fuzzer, WSFuzzer, he notes. Aside from SPI Dynamics, Beyond Security and Mu Security are some other vendors who sell commercial fuzzing tools, he says. Researcher HD Moore also offers his AxMan ActiveX fuzzing tool for free. (See Free Fuzzing Tool Launched.)

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SPI Dynamics Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-06-07
    HESK before 3.1.10 allows reflected XSS.
    PUBLISHED: 2020-06-07
    handler/upload_handler.jsp in DEXT5 Editor through 3.5.1402961 allows an attacker to download arbitrary files via the savefilepath field.
    PUBLISHED: 2020-06-07
    Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes...
    PUBLISHED: 2020-06-06
    The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
    PUBLISHED: 2020-06-06
    showAlert() in the administration panel in Bludit 3.12.0 allows XSS.