Fuzzing, also known as fault injection, is a dynamic testing method used to identify vulnerabilities in applications by sending the application a range of random or unusual input data and noting any failures and crashes that result. Fuzzing can trigger buffer overflows and find memory leaks or other bugs in an app.
Fuzzing can be done manually, but because it involves sending repeated amounts of unusual input, it's usually best left to automated tools. These tools are called fuzzers and can target many different types of input in many different types of apps. They can input unusual characters in text fields; activate buttons in unusual or unexpected patterns or frequencies; inject faulty scripts into web forms; and more. Fuzzers can be a very effective part of a pen tester's app exploitation arsenal. However, it's important to note that they are most useful for finding simple bugs, and are rarely able to find complex glitches in an app's execution. Still, sometimes all it takes is a simple bug to create a security issue with a large impact.
Some examples of fuzzers include Peach Fuzzer, w3af, skipfish, and Simple Fuzzer. Simple Fuzzer uses a configuration file that includes the input to be sent to an app. You can modify this configuration file as you see fit. For example, you might create a text file called fuzz.cfg that contains uncommon Unicode characters:
sequence=Ω≈ç√∫˜µ≤≥÷åß∂ƒ©˙∆˚¬…æœ∑´®†¥¨ˆøπ maxseqlen=1000 endcfg FUZZ --
Then, you can direct Simple Fuzzer to use this to send 1,000 bytes worth of this input to an app through a TCP socket:
sfuzz -T -f fuzz.cfg -S 127.0.0.1 -p 9999
Give all methods upper and lower bounds to combat fuzzing.
Each calling function must check the return value of nonvoid functions, and each called function must check the validity of all parameters provided by the caller.
Do not use dynamic memory allocation after initialization.
Declare all data objects at the smallest possible level of scope.
The use of the preprocessor must be limited to the inclusion of header files and simple macro definitions.
Limit pointer use to a single dereference, and do not use function pointers.