Web Applications are growing increasingly complex, which makes tools for automated security testing indispensable. CI Fuzz is an automated application testing platform, that helps you to secure web applications in a complex microservice environment.
With minimal alterations, you will be able to apply coverage-guided fuzz testing to your existing test environment regardless of if it is running locally, using docker-compose, or inside a Kubernetes cluster, which will improve the stability and reliability of your codebase.
CI Fuzz offers an easy-to-use interface to apply these advanced technologies. No deep technical fuzzing knowledge is required. Instead, developers are able to define which functions or interfaces (e.g. RESTControllers) they want to have tested, and our software is able to generate test cases automatically. Furthermore, CI Fuzz easily integrates into a standard CI/CD workflow such as Jenkins. The fuzz tests are run automatically with each new code change and incidents are reported promptly. Fuzzing tests can be scaled on-demand on a Kubernetes cluster.
While OSS fuzzers (e.g. AFL, hongfuzz, …) are only able to test C/C++/Go APIs and detect normal bugs, CI Fuzz is also able to test Web APIs and even conducts system tests. The procedure is similar to OWASP Zap, but adds the feedback-loop to the fuzzing process on top. Therefore, CI Fuzz reaches an unrivalled level of code coverage and thus detects more bugs. If you are interested in the CVEs that have been detected with CI Fuzz, you should check out our trophies page.
Our testing platform covers mainly two scenarios for microservices: One for fuzzing supported frameworks (high automation) and one framework agnostic (requires OpenAPI definitions and some fine-tuning). This blog will focus on the first one.
In order to create a fuzz test for a Java microservice application, CI Fuzz automatically detects the applied framework (in this case Spring Boot) and offers a simple one-click wizard to create fuzz tests.
During the project initialization phase, CI Fuzz scans all the endpoints of the application. The scan allows CI Fuzz to identify the types of requests that are expected at every endpoint (Rest calls, web forms, etc.). This enables CI Fuzz to craft valid requests against the application’s endpoints and to test only interesting parts of the requests (e.g. only parameter values, not parameter names). This smart fuzzing approach allows CI Fuzz to reach code deep inside your application’s business logic. The following code snippet should make this clear:
Per default, the automatically generated fuzz test will test all the endpoints. If the user is more interested in testing selected endpoints, he can filter and select the endpoints to test.
Once the fuzzing started, the dashboard of CI Fuzz provides you with interesting live monitoring of the fuzzing process. The leftmost metric is the total number of code blocks, edges, and additional metrics covered by executing the current corpus. Our fuzz engines use different metrics to evaluate the code coverage: edge coverage, edge counters, value profiles, indirect caller/callee pairs, equal bytes, etc. The graph in the middle displays the performance over time in execution per second. Fuzzers will start fast, with many executions per second. For example, a sudden decrease in performance can indicate bugs like endless loops, memory exhaustion or timeouts.
Once the fuzzer finds bugs, the bugs get reported in multiple places in the UI. The list view of “all findings” provides the user with an overview of the detected bugs. Clicking on one of the entries will open a detailed overview of the finding, with further information on the severity of the bug and useful resources regarding the type of bug.
In our recorded webinar, Simon Resch (Senior Software Engineer) demonstrates how to simplify and automate web application testing using our CI Fuzz testing platform. He shows how to apply coverage-guided fuzz testing to a complex web application with all their inter-dependencies and how this approach can help you to improve your code coverage.