Menu

Fuzzing 101 – The Basics (FAQ)

August 26 2021

Many developers are already familiar with fuzz testing. But if you are kind of new to this topic, this article covers frequently asked questions (FAQs) you may have about fuzzing. 

 

What is Fuzzing? 

Fuzzing is a dynamic testing method used for identifying bugs and vulnerabilities in software. It is mainly used for security and stability testing of the codebase. The software under test is fed with a series of inputs, which are purposefully mutated in the testing process.

The fuzzer then gets feedback about the code covered during the execution of inputs. Unlike security testing with just randomized inputs, feedback-based fuzzing explores the program state efficiently and discovers all kinds of bugs hidden deep within the code. 

Why is Fuzzing (Especially) Useful for Security Testing? 

There are some characteristics that make fuzzing extremely useful for security testing. Here is why:

  • Fuzzing is an almost completely automated testing approach.
  • Fuzzing can be used for black-box AND white-box testing (on the source code).
  • Fuzzing does not only detect the vulnerabilities but also provides you with the dynamic inputs that caused the error messages.
  • Fuzzing identifies bugs reliably without false positives.

What Is Feedback-Based Fuzzing? 

Modern fuzzing engines use smart algorithms tailoring the input to increase the amount of code that is tested with the fuzzer. The commonly used term for this is feedback-driven or feedback-based fuzzing. 

Feedback-based fuzzing uses code coverage information when generating new inputs. Due to measuring code coverage, the fuzzer can monitor which parts of the program were reached with a given input and reach other program parts by generating similar inputs with random but small changes. 

What Is a Fuzz Target? 

For a better understanding of fuzz testing, an important to discuss is the anatomy of a fuzzer. 

One significant puzzle is a fuzz target, which is a small program that tests predefined API functions, similar to unit tests. However, the inputs are not provided by the developer but produced with a fuzz generator. 

Besides the fuzz targets, there are fuzz generators. They are responsible for creating random mutations of inputs that are sent to the software under test (SUT). The output of a fuzz generator (i.e. random inputs) is then sent to the SUT. The delivery mechanism processes inputs from fuzz generator and feeds them to SUT for execution.  

Finally, the monitoring system keeps track of how the inputs are executed within SUT and detects triggered bugs. The monitoring system plays a critical part in the fuzzing process as it also influences what types of vulnerabilities can be discovered during fuzzing. 

Fuzzing vs. Other Testing Methods 

If you are looking for a way to secure your software, there are a variety of testing approaches, such as Static Applications Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and Feedback-based Application Security Testing (FAST). Each of these methods has its advantages and disadvantages. We have collected some of them in the table below.  

Application testing ComparisonComparing testing approaches (click to enlarge)

What Bugs Can You Find With Fuzzing? 

Fuzz testing can help developers find all kinds of security vulnerabilities. The most common bugs are listed below: 

  1. All types of crashes  
  2. Memory Leaks  
  3. Slow Inputs 
  4. Use of Uninitialized Memory  
  5. Data Races  
  6. Buffer Overflows  
  7. Cross-Site Scripting XSS  
  8. Insecure Deserialization  
  9. Using Components with Known Vulnerabilities  
  10. Insufficient Logging & Monitoring 

See the full list.

What Is White-Box Fuzzing? 

White-box fuzzing analyzes the internal structure of the program. With each new fuzzing run, white-box fuzzers learn to track and maximize code coverage. They usually use intelligent instrumentation and adaptable algorithms, which makes them more effective and accurate in detecting vulnerabilities. 

What Is Black-Box Fuzzing? 

Black-box fuzzing generates inputs for a target program without knowledge of its internal behaviour or implementation. A black-box fuzzer may generate inputs from scratch, or rely on a static corpus of valid input files to base mutations on. Unlike coverage-guided approaches and white-box fuzzing, the corpus does not grow here.

Black Box VS White Box FuzzingBlack-box fuzzing vs. white-box fuzzing (click to enlarge)

What are Common Fuzzing Tools

Developers can benefit from a whole range of open-source fuzzing tools. They are often specialized for specific use cases (e.g. Kernel fuzzing) or programming languages. But there are also a few commercial solutions that become relevant if you're working in larger development teams or DevOps environments. Usually they come with more integrations and features, such as automated bug reporting, CI/CD and dev tool integration, Web API fuzzing, or OWASP vulnerability detection. 

Open Source Fuzzers:

See the extended list 

Fuzzing for DevOps Teams

If you are interested in an enterprise fuzzing solution, our fuzzing platform CI Fuzz might be just the right thing for you. CI Fuzz can easily be integrated into your CI/CD, where it enables developers to fuzz and debug your code continuously.

Learn More

 

What's Next? - Fuzz Your First Application

This article summarized the basics of fuzz testing. Now you'll probably want to get hands-on experience yourself. But where to start? I would recommend beginning with fuzzing a couple of open-source projects first. This way, you can familiarize yourself with the technology and contribute to the community.

You can follow this tutorial by Patrick Ventuzelo, who fuzzed a popular open-source project (JSoup), with Jazzer, a coverage guided fuzzer for JVM based languages (Java, Kotlin, etc.).  

Video: Fuzzing Java code (JSoup) using Jazzer fuzzer

Recent Posts

Share Article

Subscribe to updates