What is Fuzzing in cyber security?

Fuzzing in cyber security is a method of finding software vulnerabilities by providing unintended input to the target system and monitoring for abnormal results.

Detecting security vulnerabilities in software or computer systems is the main function of fuzzing. The core idea is to input automatically or semi-automatically generated random data into a program and monitor exceptions such as crashes and assertion failures.

Barton Miller of the University of Wisconsin in 1988 first proposed fuzzing. Their work not only uses random and unstructured test data, but also systematically uses a series of tools to analyse various software on different platforms. In addition, they disclosed the source code, testing process, and raw result data.

What is the purpose of fuzzing?

• Find the most important security faults and vulnerabilities
• Produces more effective results when combined with black box testing, beta testing, and other debugging techniques
• Most cost-effective methods for identifying software vulnerabilities 

The Steps of Fuzzing in cyber security

• Determine the target system
• OK input
• Create fuzzy data
• Run tests with ambiguous data
• Pay close attention to the performance of the system
• Keep a defect log

Fuzzer example 

Fuzzers that modify existing data samples to generate new test data are called mutation-based fuzzers. This is the most straightforward technique, as it starts with an acceptable sample of the protocol and goes on to corrupt every byte or file.

A generative-based fuzzer creates new data from the model's input. It starts from scratch, generating input on demand.

The PROTOCOL-BASED-FUZZER, one of the most successful fuzzers, has comprehensive knowledge of the protocol format being tested. It requires inputting a series of specifications into the tool, adding irregularities to data content, sequences, etc. Grammar testing, robustness testing, and other terms are used to describe this process. The Fuzzer can create test cases from scratch and invalid inputs.

Types of bugs detected by Fuzzing in cyber security

• Invalid Inputs: Fuzzers are used for fuzzing to produce false inputs for testing error handling algorithms, which is critical for software that has no control over its inputs. Simple fuzzing is a technique for automating negative tests.
• Correctness bugs: Certain "correctness" issues can also be detected by fuzzing—for example, database corruption, insufficient search results, etc.

Fuzzing Tools in cybersecurity

• Peach Fuzzer
• Spike Proxy
• Webscarab
• OWASP WSFuzzer

Fuzzing is a type of software engineering used to identify defects in an application. Fuzzing does not ensure that all defects in a program are detected. However, a fuzz approach ensures that the application is resilient and secure, as it helps reveal the most common flaws.