Fuzzing Through the Side Door

Share URL
 

Since the fuzzing automation was essentially pummeling each public order entry field with different kinds of data, we found different kinds of errors. Fuzzer payloads might exploit input overflow tests, and, on some fields, large values caused errors anywhere from the database on up to the code processing the message. Other fuzzer payloads exploit entering data of the wrong type, and that could cause the database to fail while trying to insert the incorrect data into a field. In other cases, the code that processes messages might fail when trying to process a character from a character set it wasn’t expecting. Any number of libraries in between might fail similarly.

We discovered inconsistencies in the way code handled error conditions for different inputs in an order. The order ID field might restrict data of the wrong type or data that is too long at the messaging layer. The price field might not restrict those data types or lengths at all. In other cases, error handling might break down after processing a large number of orders. We also discovered memory leaks and other problems that were revealed by processing a large number of orders over a period of days. We just didn’t see that with manual testing or automated functional testing in the past. Those efforts didn’t generate enough data or conditions on the server that were closer to what you would see in production.

This approach to test automation is a bit more technical than some testers might be used to, but it can be highly effective. Using the well-known approaches of mutation testing, high-volume test automation, and fuzzing against an order-entry system proved to be a powerful combination. If you have the technical resources to be able to try this sort of thing out on your system, I encourage you to do so. A word of warning, though: Do not try this on public systems or systems you don’t have permission to run a fuzzer against. Fuzzing in this manner can quickly bring a test system down. If you’ve been asked to test a messaging system, propose looking at this kind of approach, and happy fuzzing!

Jonathan would like to thank Yiannis Pavlosoglou of the JBroFuzz team for his help and support.

References

Pages

Share URL
 
Tags: 
test methodologies
testing
tools
fuzz testing
owasp jbrofuzz

About the author

Jonathan Kohl's picture
Jonathan Kohl

Jonathan Kohl is an internationally-recognized consultant with Kohl Concepts, based in Calgary, Alberta, Canada. Jonathan works on mobile application development projects in a variety of roles. He is also a popular author, speaker and trainer in the software industry. Read more of his work at www.kohl.ca. Contact Jonathan at jonathan@kohl.ca. Follow on twitter: @jonathan_kohl

View Profile
More Like This
» A Firsthand Agile Transition Success Story: An Interview with Penny Wyatt [interview]
» Security Testing in an Agile World: An Interview with Jeff Payne [interview]
» The Evolution of the User Experience: An Interview with Genefa Murphy [interview]
Podcast
» Collaborating with ALM and Agile: An Interview with Karthik Ravindran [interview]
Video
» Software Testing Is a Game [article]
» Testing the Requirements of Collaboration: An Interview with Jeff "Cheezy" Morgan [interview]
» Enterprise Agility vs. Lean Delivery: An Interview with Mik Kersten [interview]

TechWell Stories
How Acknowledging Work Effort Increases Productivity and Motivation
To Estimate or Not to Estimate—That Is the Question
Removing Waste in Software Projects
Create a Vendor Contract While Keeping Agile
How Agile Teams Use DevOps for Deployment