When creating an application, programmers spend a lot of time anticipating what a user will need and how their application should react. The best programmers keep control using tight code while also planning for any contingency, but nobody can anticipate every possible action that a user might take. That is where fuzzing tools can come in very handy.
What is fuzz testing?
Fuzz testing is an automated process where a fuzzing engine attempts to send vast amounts of unexpected, erroneous or just random input into an application so that a programmer can see how it will react. They can then code appropriate responses that will protect the integrity and security of the application before it’s deployed to the public.
Fuzzing tools are valuable because they can answer thousands of “what if” type questions about application behavior over a relatively short period. For example, what happens if an e-commerce site user orders 20 billion bomber jackets? Does the site crash? Does it offer them a discount? Or does it simply try and process the impossible order normally? And then what happens if a user enters something like a valid coupon code but in the wrong input field? Finally, how will the application react if a malicious user enters command line functions, encrypted content, operating system commands or raw code in the same language as the app? A good fuzzing engine can answer all of those questions and more.
How do fuzzing tools work?
The functionality of fuzzing engines helps to explain why so many exist. There are quite a few commercial fuzzing engines and hundreds of others written by talented programmers, which have been shared for free on platforms like GitHub. Some fuzzing engines send gobs of random information, while others carefully examine the application they are working with and try to provide contextual but unexpected inputs. Finally, fuzzing is not just about user input; it is valuable for testing programmable interfaces, such as REST APIs.
In most cases, the goal of a fuzzing tool is to generate at least some unexpected data the tested software’s parser accepts as valid. It then can report how the application reacts to that unexpected yet potentially valid input. Alternatively, the fuzzed input might (jackpot!) crash the program.
Fuzzers operate using various programming languages. Some can handle most computer languages, with C, C++, Go, Rust, Python, Java, Kotlin, Scala and Swift being popular choices. Others only operate with apps using a single language, becoming, for example, a specific tool to help out Python programmers. So, while there are many choices, you need to be careful that you are getting a fuzzer that works with the language of the application, program or hardware that you want to test.
Top fuzzing tools
The following are some of the top commercial and free fuzzing engines today. We tried to find the most popular or the most highly rated fuzzing tools to feature. However, there are hundreds of choices, so we are sure to have inevitably missed a few good ones. But this list should help get anyone started when trying to pick out a good fuzzing engine or tool to help test their applications and programs.
Our selection method was a bit arbitrary, but there’s no way around that. The commercial tools come from a list of such tools on the OWASP site.
Then we searched for “fuzz” on GitHub, sorted by the number of stars (likes) to measure by popularity, and selected the top five. Another measure of popularity on GitHub and respect from the community is the number of times the project has been forked. Two of the systems in our list (OSS-fuzz and FuzzDB) are also in the top five forked fuzzers.
Fuzz testing is not just a kooky advanced option anymore. Many important standards from ISO and other prominent bodies now recommend it and don’t be surprised if it eventually becomes a requirement. Now’s the time to make it a standard part of your testing process.
4 commercial fuzzing tools
1. Beyond Security beSTORM
The beSTORM fuzzing solution from Beyond Security is one of the most versatile fuzzers on the market. Designed to test both hardware and software, it doesn’t require access to the source code to operate. Therefore, it can work with just about any application, protocol, language or even hardware, at least to the extent that the tested application is programmable. It can even work with devices and programs designed for specific industries and applications like those from the Internet of Things, process control applications, CANbus compatible automotive apps, aerospace tools and low energy Bluetooth LE devices.
The versatility of beSTORM is one of its most significant assets because programmers only have to learn how to manipulate a single interface to launch fuzz testing against an almost unlimited number of devices or applications. The platform includes 250 prebuilt testing modules, and users can fairly easily add new ones to cover unusual or proprietary applications. Those fuzzing tests can also be managed using the same interface.
Another advantage for larger organizations is that users can access the beSTORM platform as a cloud service. That way, an organization can purchase the platform and then provide access to the fuzzing tools to multiple users, even those working in different locations.
2. Code Intelligence Fuzz
The Code Intelligence Fuzz engine (CI Fuzz) comes as a preconfigured Ubuntu VM so that you can deploy it locally or in a cloud. Once integrated into your continuous integration and continuous delivery (CI/CD) pipeline, CI Fuzz can run automatically with every pull request. In that way, CI Fuzz can ensure that new changes to an app have not unintentionally added vulnerabilities or otherwise broken the program. And because it’s part of the CI/CD process, those problems will be quickly flagged, making it easy to determine when program errors were introduced.
Whenever CI Fuzz detects an error, it immediately begins sending different permutations of that input to try and map the scope of the problem. It then generates a detailed report to eliminate false positives and enable programmers to reproduce those errors by hand as they work to fix the code.
The CI Fuzz engine directly accesses the source code of the program or app under test, so it only supports certain languages and frameworks. Right now, CI Fuzz works with C, C++, Java and Go. The company is working on integrating other frameworks like .Net Core and Python.
3. Synopsys Fuzzing Test Suite
The Synopsys offering in the fuzzing arena takes a unique approach compared with most others. Instead of trying to make a fuzzing tool that can work with multiple applications, Synopsys instead offers an entire suite of tools, with each one designed to work with a specific language, protocol or use case. With this à la carte approach, end users can purchase the exact fuzzing tool they need without spending money on extra capacity or capabilities they will likely never need.
Each tool has a standard set of features such as a collection of ready-made test cases that are highly relevant, a results and reporting analysis component, a graphical interface for configuring the tool, and documentation explaining how to use it. Each tool purchase can also come with a level of support that can be tapped if needed.
Synopsys offers tools to work with everything from common components like DNS servers to more obscure and specialized applications like CAN Bus or IKEv2.
4. ForAllSecure Mayhem for Code
The ForAllSecure Mayhem for Code fuzzing tool provides all the advantages of most fuzzing engines with the additional capability of learning and becoming more efficient over time. The platform operates independently with minimal human intervention required.
The Mayhem for Code engine operates continually, learning about its environment and discovering how to make use of in-depth system information while speeding up fuzzing activities over time. It can even generate test cases on the fly based on what it has learned. The more you use Mayhem for Code, the more efficient and independent it becomes.
The platform currently works with a variety of languages such as Java, Python, Ada, OCaml, Fortran, Jovial, C, C++, Go and Rust. It does not require access to the source code in order to run its tests.
6 free or open-source fuzzing tools
1. PeachTech Peach Fuzzer
The PeachTech protocol fuzzer was filed under the paid offerings section the last time we wrote an article on fuzzing. It was a popular commercial fuzzing engine for many years. However, its success led to its parent company (PeachTech) being acquired by GitLab in 2020. While the free version of the PeachTech fuzzing engine is still available through GitLab, it is no longer supported or updated.
The idea behind the PeachTech program was that programmers at the company put a lot of effort into making the fuzzing engine highly configurable so that it could work with almost any language or operating system. Users need only manually configure the tool before pointing it at the app, program or device to be fuzzed.
All of that same functionality still exists in the free GitLab offering. However, the documentation is fairly complex, and support for the tool no longer exists. On the positive side, it’s free. But users need to know a lot about fuzz testing as well as the language or framework they are using to get any real benefit out of this fuzzer anymore. Non-experts should probably look elsewhere.
For testers with a budget, GitLab incorporated that technology into their DevSecOps platform, which is not free. There is much more to the platform than just fuzzing, so we won’t look at it in any detail, but it is supported and under development.
2. Google OSS-Fuzz
Google uses fuzzing for all development of new components for their Chrome OS or browser. Having achieved great success in this way, the turned their fuzzer into an open source project, OSS-Fuzz.
OSS-Fuzz taps into several other fuzzing engines including AFL++, libFuzzer and Honggfuzz. It supports multiple languages including C, C++, Rust, Go, Python and Java/JVM code, though it notes that other languages may also work. It works with both x86-64 and i386 builds.
The OSS Fuzz program is one of the most highly rated on GitHub right now. It has a large community and lots of support in the open-source community.
FuzzDB is not a fuzzing engine itself, but a complex library of attack payloads and known injection techniques used to break or breach programs and applications not protected against them. It may be one of the largest such libraries in the world. The attacks are categorized in various ways, such as by platform type, the issues they are known to cause, source exposure potential and many other factors.
Probably the best way to use the FuzzDB library is in conjunction with a programmable fuzzing engine where those attack patterns can be loaded up and sent after an application. Using it in conjunction with a fuzzing engine that generates random inputs would help cover a lot of ground, running the gamut from known attacks and vulnerabilities to unknown ones specific to the application under test.
4. Ffuf (Fuzz Faster U Fool)
Ffuf is a fuzzing engine written in the Go language. It’s a surprisingly advanced program for a free tool and can perform most common fuzzing functions like checking how applications react to unknown GET and POST requests. There is not much of a user interface, since it uses command line functions, which are nevertheless very powerful once you learn them.
The ffuf GitHub page has many examples of how to deploy it and the developer releases new functionality and features regularly. While ffuf is free, it uses a sponsorship model. New features are released immediately to those who have paid to help sponsor the tool’s further development. Everyone else gets access to the new functions 30 days later.
5. Google ClusterFuzz
Google ClusterFuzz is the fuzzing engine used by Google to check for bugs in Chrome. It’s also part of the backend for the aforementioned OSS-Fuzz project. However, ClusterFuzz works with any program or application, not just those in the open-source realm.
According to the GitHub page, ClusterFuzz has successfully found over 29,000 bugs in Google products and 26,000 in open-source projects through its integration with OSS-Fuzz. The ClusterFuzz program is designed to be highly scalable to run in any environment. The project’s GitHub pages list one project where ClusterFuzz is working in conjunction with 100,000 virtual machines, so scalability should not be an issue for anyone.
The go-fuzz platform is a highly rated fuzzer designed to test packages in the Go language. It’s mainly used with packages that parse complex text and binary inputs. According to the author, it is especially useful for hardening systems that parse inputs coming from potentially malicious users, such as almost anything deployed to the public via a web page.
The documentation does a good job of showing how to use the fuzzer. Meanwhile, an accompanying repository contains numerous examples of test functions and initial input settings for various applications.
Copyright © 2022 IDG Communications, Inc.