Fuzzing Through the Side Door

I couldn't find any tools that did exactly what I needed, so I started a search for a fuzzing library. I was working in a Java shop, so I needed a Java tool. I found the OWASP JBroFuzz project and found I could use JBroFuzz as a library, even though it was written as a standalone tool. I created a test that relied on JBroFuzz to generate test data and inserted that data into an order message. A normal message looked something like this XML example (test data in bold):

   <book:addHotel>
            <orderid>123456789</orderid>
            <name>Three Guys Hotel</name>
            <address>123 Main Street</address>
            <city>Calgary</city>
            <state>Alberta</state>
            <zip>12343</zip>
            <country>Canada</country>
            <price>40</price>
        </book:addHotel>

A fuzzed message looked something like this (price is getting fuzzed):

   <book:addHotel>
            <orderid>123456789</orderid>
            <name>Three Guys Hotel</name>
            <address>123 Main Street</address>
            <city>Calgary</city>
            <state>Alberta</state>
            <zip>12343</zip>
            <country>Canada</country>
            <price>0xffffffff</price>
        </book:addHotel>

Now, imagine doing this over and over, thousands of times, with the fuzzer doing the test data creation for me. The fuzzer creates data based on a payload type, then the automation program inserts it into a message, and then the message is sent on to the system under test. I can fuzz as many or as few of the message parameters for this order type as I want. I could use automation to mutate each message over time so that, in the end, all values were fuzzed. I used simple monitoring tools in this system: I watched for error messages in the log files using simple Unix commands, and I kept an eye on system resource usage on the application servers and the backend database. The first time I tried it out, the server crashed within twenty minutes.

I found quite a few errors using a fuzzer in this way. The system was mature and was well tested, but I got fast results using test automation to do the heavy lifting: generating lots of test data and running it over and over, sometimes for hours. I managed to get high-volume test automation with tool-generated test data I would never have thought to create myself. It would have taken weeks or months of full-time work to do what this tool could do in minutes or hours.