Morioh
Login
Wiley Mayer

Wiley Mayer

3 years ago

I was recently looking through some of Google’s open source repositories on their GitHub. And I saw that they had a repository for continuous fuzzing. I had no idea what fuzzing even was, let alone continuous fuzzing.

So What is Fuzzing?

Fuzzing (sometimes called fuzz testing) is a way to automatically test software. Generally, the fuzzer provides lots of invalid or random inputs into the program. The test tries to cause crashes, errors, memory leaks, and so on.

Normally, fuzzing works best on programs that take inputs, like websites that might ask for your name and age as an input.

We could try all sort of different strings to try and cause issues, maybe something like: “Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗” (this crashed iOS in the past), “Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟”, “😍” or “undefined”.

The whole idea behind fuzzing is to try and find edge cases in a codebase. You use it to make sure that all the parsing you do, acceptance of the data, storing of the data, and reading the data causes no bugs.

It’s quite an integrated test, too, as you can test the complete flow of storing something like a zero-width space (U+200B in Unicode) in your site to check for issues.

Some people try to inject code into the input fields (this is a part of fuzzing referred to as code injection) like <script>alert(123)</script> as a name input.

Malicious hackers don’t want you to test non-standard input, as you might have application breaking bugs – and they can utilise this to steal data or repeatedly crash your application/servers.

Have a look at this GitHub called the Big List of Naughty Strings. It is a list of strings that have a high probability of causing issues.

You can have a look at some of the .json and .txt files to see what has caused issues in the past, and read some of the comments to learn exactly why they are problematic.

For example, there are some strings that are written upside-down “uʍopǝpᴉsd∩” which you can do here. There are strings that may be flagged as profanity or inappropriate but are actually innocent (this is called the Scunthorpe problem). Or even strings that can reveal system files if they are parsed by a poorly configured XML parser.

#testing #fuzzing #developer

What is Fuzzing? Fuzz Testing Explained with Examples

freecodecamp.org

What is Fuzzing? Fuzz Testing Explained with Examples

What is Fuzzing? Fuzzing (sometimes called fuzz testing) is a way to automatically test software. Generally, the fuzzer provides lots of invalid or random inputs into the program. The test tries to cause crashes, errors, memory leaks, and so on.

2.10 GEEK