101

Fuzz Testing Rundown

5 min read

Fuzzing is a software testing methodology that is great at finding obscure bugs that developers miss. Instead of testing with a small, pre-defined set of cases (like unit testing), fuzzing tests code 24 hours a day, using the feedback and results it gathers to generate new cases (called fuzz), in an effort to exercise all aspects of the software in question. You can think of fuzzing as a feedback loop that iterates thousands of times per second:

Fuzzing Feedback Loop

{{/* output-4 */}}{{/* output-1 */}}{{/* output-2 */}}{{/* input-1 */}}{{/* input-2 */}}{{/* input-bar */}}{{/* output-bar */}}{{/* output-progress-1 */}}{{/* output-progress-2 */}}{{/* output-progress-3 */}}{{/* input-progress-1 */}}{{/* input-progress-2 */}}{{/* input-progress-3 */}}{{/* fuzzer */}}{{/* app */}}{{/* app-box-1 */}}{{/* app-box-2 */}}{{/* app-box-3 */}}{{/* app-box-4 */}}{{/* app-box-5 */}}{{/* app header */}}{{/* output-3 */}}{{/* input-3 */}}

Why Fuzz?

Fuzzing finds the hard-to-find bugs that other security tools (SAST, SCA, etc) typically miss.

Unit testing, and other developer-driven testing methods like static analysis are great for sanity checks, and ensuring that your code handles all of the cases your developers have thought about. Where unit tests fall short is in the unknown; they look for exactly what you ask them to, and nothing more.

By continuously fuzz testing your code, you immediately increase your bug-finding potential to include the unforeseen problems that aren't covered by static analysis rules or your developers' imaginations. Fuzzing covers an area of your software test pipeline that no other type of testing methodology touches.

With fuzzing you can find:

Memory Corruption CWE-119

Race Conditions CWE-362

Unhandled Exceptions CWE-248

Crashes CWE-730

Path Traversal CWE-23

Timeouts & Hangs CWE-969

Excessive Resource Usage CWE-119

Undefined Behavior CWE-362

Assertion Failures CWE-248

Types of Fuzzing

Dumb Fuzzing

  • Generates completely random test cases, or randomly mutates & corrupts example inputs
  • Has no understanding of the code being tested, and can’t intelligently generate tests to drive deeper into a codebase
  • Only finds very superficial bugs, because the fuzzer’s shallow coverage won’t enable any testing below the parsing layer

Protocol Fuzzing

  • Generates tests that conform to a specific protocol, creating inputs that are structurally correct, but provide invalid data (HTTP, Bluetooth, HL7, JSON, XML, etc)
  • Does not require source code modifications, simply select the protocol that your application uses
  • The ability to generate structurally-valid inputs allows protocol fuzzing to test the logic of your application and uncover deeper bugs

Coverage Guided Fuzzing

  • Uses code coverage feedback to guide test case generation, allowing the fuzzer to build off previously generated inputs
  • Code coverage enables the fuzzer to work out which sections of a test case affect certain areas of the code, effectively drilling down into high risk areas
  • Discovers hard-to-find (& easily missed) bugs on rare code-paths by ensuring that every line of code is covered

Which method should I use?

We definitely recommend staying away from dumb fuzzing. However, protocol and coverage-guided fuzzing tend to complement each other. Our recommendation is to start with protocol fuzz testing as it tests 1 external entrypoint into your application, and then move onto coverage-guided fuzzing, which will allow you to target very specific, high risk areas of your code.

How Fuzzbuzz Helps

Fuzzbuzz is a fuzzing platform that enables developers and security teams to integrate fuzz testing into the earliest stage of the SDLC. With Fuzzbuzz, developers can start fuzzing in under 5 minutes and test every aspect of their application, from specific high-risk modules, to entire embedded devices.

No Code Required

Fuzzbuzz analyzes your code and automatically generates tests for the most high-risk areas, so you can start fuzzing without writing a single line of code

Zero False Positives

Each bug is verified as reproducible and proven to be unique, so you can be confident that you’re receiving a concise list of actionable bugs

Integrates Into Existing Tools

Fuzzbuzz integrates into source control tooling like GitHub and GitLab, and hooks into your existing workflow by tracking bugs with tools like Jira, Slack and Teams

Coverage Guided, Structure Aware Fuzzing

Our structure-aware fuzzer generates inputs that fit the underlying protocol your software uses, and uses coverage-guidance to ensure every line of code is tested

Ready to get started?