Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/26/2007
05:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Here Comes the (Web) Fuzz

Black Hat researcher says fuzzing Web applications is the next big thing, will release free tool

Fuzzing has traditionally been a popular tool for hackers searching for network-based vulnerabilities -- but not so much for Web applications. That soon could change, however, according to a Black Hat researcher who says fuzzing is even better suited for finding flaws in Web applications.

Michael Sutton, security evangelist for SPI Dynamics, this week at the Black Hat DC briefings in Arlington, Va., will release a free homegrown Web fuzzing tool that he developed, called Web Fuzz. Fuzzers are basically automated brute-force testing tools that send random or unexpected input in the form of a request or packet in order to detect vulnerabilities in applications.

The fact that the fuzzing process can be highly automated makes it a perfect fit for Web app developers, Sutton says, and Web apps have very structured ways of accepting user input.

Today's Web technology makes it especially simple to develop Web apps. That means fewer technical users are building these apps, too. "It would never be realistic that my Web developers would do reverse-engineering to find vulnerabilities. But it would be realistic for them to use a tool they are comfortable with like fuzzing during the development process," says Sutton, who will discuss Web app fuzzing in his "Smashing Web Apps: Applying Fuzzing to Web Applications and Web Services" session at Black Hat.

"The beauty of fuzzing is its simplicity," he says.

Web applications are wearing a big bull's eye lately for vulnerabilities -- about half of all vulnerabilities reported today are Web app-based ones, Sutton says. XSS, SQL injection, and php-file-include (all Web-related attacks) were the CVE's top three attack methods for 2006, Sutton notes. And because Web apps have very standardized ways of providing user input, you can exploit that for fuzzing purposes, he says. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

"Web apps are very well-geared for fuzzing."

But fuzzing won't solve Web application security troubles. "It's not a silver bullet. It has its limitations," Sutton says. "It's not going to find that complex vulnerability or that multi-stage attack."

It will make things easier on Web developers, however, who don't necessarily have vendors to fall back on when bugs arise in their apps. "You're totally on your own. You created the app, you created the vulnerability, and it's your responsibility to create the fix for it," Sutton says. "In the best case, you find it, and the worst case, someone else finds it externally... There's no global notification system [for these bugs]."

With a fuzzer, a Web services developer could then easily test her Web app before it goes live. "It used to be that you'd assemble the security team, and that was OK with network layer vulnerabilities, because they could find them and were empowered to fix them." You could throw up a firewall or IDS to plug a buffer overflow in an app, Sutton says.

"But in the Web app world, the security team isn't empowered to fix the holes. They can't just block off traffic. The only way to fix it is at the development side," he says. "And if we don't involve developers, they are going to make the same [security] mistakes over and over again."

It's the easy stuff that fuzzers can pinpoint, Sutton says. He calls it the "FUGGLE" phenomenon: Fuzzing Using Google Gets Low-Hanging Fruit Easily. "The power of fuzzing with Google is you can Google for sites that are going to be vulnerable to attack. Then you make a request for them using Google fuzzing to see if they could find indicators of what vulnerabilities" are there, he says.

Sutton says a combination of search engine queries and basic Web page requests can identify previously unknown vulnerabilities, so it would also be simple for phishers and spammers to use the same techniques to find their targets.

Meanwhile, Sutton says his Web Fuzz tool is not related to his company's testing tool that comes with built-in fuzzing, SPI Dynamics' WebInspect. OWASP also offers a free fuzzer, WSFuzzer, he notes. Aside from SPI Dynamics, Beyond Security and Mu Security are some other vendors who sell commercial fuzzing tools, he says. Researcher HD Moore also offers his AxMan ActiveX fuzzing tool for free. (See Free Fuzzing Tool Launched.)

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SPI Dynamics Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    7 SMB Security Tips That Will Keep Your Company Safe
    Steve Zurier, Contributing Writer,  10/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-8216
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
    CVE-2019-8217
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
    CVE-2019-8218
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
    CVE-2019-8219
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
    CVE-2019-8220
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .