Fuzzing: Brute Force Vulnerability Discovery
Fuzzing is the first and only book to cover fuzzing from start to finish, bringing disciplined best practices to a technique that has traditionally been implemented informally. The authors begin by reviewing how fuzzing works and outlining its crucial advantages over other security testing methods. Next, they introduce state-of-the-art fuzzing techniques for finding vulnerabilities in network protocols, file formats, and web applications; demonstrate the use of automated fuzzing tools; and present several insightful case histories showing fuzzing at work. Coverage includes:
- Why fuzzing simplifies test design and catches flaws other methods miss
- The fuzzing process: from identifying inputs to assessing “exploitability”
- Understanding the requirements for effective fuzzing
- Comparing mutation-based and generation-based fuzzers
- Using and automating environment variable and argument fuzzing
- Mastering in-memory fuzzing techniques
- Constructing custom fuzzing frameworks and tools
- Implementing intelligent fault detection
Review By: Showey Howey
09/22/2008
Add fuzzing and this book to your library of test tools to help you produce more secure software environments. The book, a 2008 Jolt-award finalist, is both a technical reference and a fascinating read. Programmers and security professionals get bluntly-stated pros and cons of the state of current tools with (as of this review) good working links to more code and information. The authors discuss fuzzing in neatly divided, yet cross-referenced, sections within the text. It is easy to locate a specific area of interest without having to read through pages of what you already know or what you hope you don't need to know. Coverage of these special effects includes methods and types of fuzzer tools; data generation; and building or extending COTS and freeware automation over applications, servers, file formats, network protocols, browsers, and in-memory testing on both Windows and UNIX platforms.
Fans of CSI, Numbers, and even Bones can enjoy an armchair hunt for automated testing techniques and algorithms that calculate the "good, better, and best" of bad input data. The technical parts of this book are easy to locate and skim over. While the hilarious quotes from George W. Bush keep everyone from geeks to C-level suits thinking about this topic's real relevance in our country and world today. Those in the trenches will use catchy quotes and information from the authors to encourage management’s consideration of integrating fuzzing in a project plan and budget.
The book acknowledges its shelf life by guiding readers to sources on the Web where, presumably, the ideas and concepts in the book will be updated as the field grows.