"Attackers have long exploited the fact that even subtle variations in protocols can cause compromise or failure of networked devices," says David Newman, president of Benchmarking Consultancy Network Test. "Fuzzing technology helps level the playing field, giving implementers a chance to subject their systems to millions of variations in traffic patterns before the bad guys get a chance to." Seeing the importance in early detection of security holes, we have chosen Fuzzing to be our topic of the month.
How do you test against security threats you don't know exist?
For
unknown threats, an alternative such as fuzzing testing needs to be
employed. Fuzzing testing passes random
data through network protocols, API calls, and file streams - virtually
anywhere applications and devices receive inputs.
One
of the goals is to determine whether any of this random input can crash or
hang an application, bring down a website or put a device in a compromised
state. Another goal of fuzzing testing is to prevent zero-day
attacks. These attacks derive their name
from the fact that they take place before the related vulnerability is known –
on “day zero” of awareness. Malicious attacks from hackers could exploit a new
vulnerability they find, before your normal testing does.
Think Like an Hacker
Hackers
are good at finding vulnerabilities. Why?
Because they expend the effort needed to expose them. They know that
traditional functional testing on your software has likely been completed. However, they also know that millions of
permutations of invalid random input many have not been tested. All it takes is one random string of input to
cause a crash or hang. Moreover, it is
easy for them to throw garbage input at your network. Nevertheless, since you are now thinking like
a hacker, you can do the same – in controlled conditions – with fuzzing
testing.
Hackers
target and exploit many different attack vectors such as:
·
Web Browsers (HTTP)
·
Email Attachments (popular
applications, movie files, graphic files, executables)
·
Network Protocols
(vulnerabilities in FTP, DHCP, RSYNC, NTP)
·
VoIP and IPTV protocols
How does it work?
In its
simplest form, fuzzing testing sends a random sequence, either as command line
options or via protocol packets that have been randomly malformed, to the
target being tested. As such, fuzzing
testing can start out manually. But,
automation is required in order to get sufficient test coverage. Fuzzing testing tools can generate millions
of variations or mutations in traffic patterns on the attack vector being
tested. These tools apply
"fuzzing" to the chosen test pattern and can literally test millions
of permutations, making your network much more secure, while keeping your test
team efficient.
Stay Ahead with Fuzzing Testing
Fuzzing
testing does not replace traditional white box or black box quality processes,
but rather complements them. Add fuzzing
testing to your test arsenal to stay a day ahead of the hackers and their
zero-day attacks.