Basic Introduction to fuzzing Web applications

1. WHAT THE FUZZ???
Christopher Frenz

2. NEED FOR APPLICATION
SECURITY
• According to SANS
• 60% of all internet attacks target Web
applications
• SQL Injection and XSS constitute
80% of all recently discovered
vulnerabilities
• Application vulnerabilities now exceed
OS vulnerabilities
Applications
Operating Systems
Network
# Vulnerabilities

3. OWASP TOP 10
https://xkcd.com/327/

4. WHAT TO DO???
• More developers need to be made aware of the need for secure software development as
well as the practices associated with secure software development
• Education is key
• Security needs to be part of the mindset of any software development project from day 1
• Security CANNOT be an afterthought
• Security CANNOT be effectively added on later (e.g. firewalls)

5. WHY EDUCATION?
• Response from development team
– There is no issue here, you
encountered this error while using
Mozilla. Our product
documentation says the
application is only compatible with
IE.

6. A QUESTION OF CASE
• What the Fuzz?
• Basic testing or fuzzing would
have discovered that
capitalizing a letter would result
in all data being returned and
not just the authorized set
• Validation was only being done
client side

7. SECURING THE SDLC
• Requirements
• Security needs to be a requirement
• Risk Assessment
• Design
• Security controls to ensure all
requirements are met
• Design review
• Implementation
• Coding standards
• Static code analysis
• Peer code review
• Testing
• Abuse Cases
• Fuzzing
• Vulnerability scans
• Pen Testing
• Release/Maintenance
• Patching/Updating
Security needs to be a factor in all phases of the software
development lifecycle

8. THREAT MODELING
• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of Service
• Elevation of privilege
• Makes programmers think like an
attacker in order to identify potential
ways in which their application could be
abused

9. RISK ASSESSMENT
• Damage potential
• Reproducibility
• Exploitability
• Affected Users
• Discoverability
• Each threat is ranked in each category
on a scale of 1 to 3, with 1 being a
threat with minimal potential impact and
3 being a serious threat

10. STRIDE + DREAD EXAMPLE
Helps to identify which threats pose the biggest risk

11. FUZZING
• Fuzzing is an automated process of providing invalid and random
inputs into an application and monitoring the application for crashes
• It can help to identify inputs that the application cannot properly handle
and that hence could be used as potential attack

12. OWASP MUTILLIDAE
A deliberately
vulnerable web
application for training
security testing skills

13. XAMPP ON VIRTUAL MACHINE

14. MUTILLIDAE
Mutillidae
unzips into the
htdocs folder of
the Apache
install

15. BURP
Suite of tools for
performing Web
application security
testing

16. FOXY PROXY
Enables you to quickly
switch between the Burp
intercepting proxy and
non-proxied browsing

17. START BURP
Start Burp and use
Foxy Proxy to ensure
that our Web browser
requests go through
Burp

18. FIND TARGET
Burp lets us see the
pages loaded through
the browser as well as
spider a target site to
identify additional web
pages

19. FUZZ TARGET
Lets Identify the page we want
to target for fuzzing and send
it to the Burp Intruder Module

20. IDENTIFY POSITIONS
Identify which positions we
want to receive our fuzzed
input strings

21. LAUNCH THE ATTACK
Interesting, one attack
returned a different page
than the rest. Let’s try it out.

22. TEST THE ATTACK
We used an SQLi attack
to bypass the
authentication
mechanism

23. QUESTIONS