Well…since we now have a lot of clarity on what the various methods in TM do, Dinis suggested, that instead of waiting to complete ALL 123…lets start fuzzing using my unit tests as a base or using Burp or Zap proxy. I said yeah cool… The trouble began soon after when Mr. Mind started thinking..How? and … even more importantly…Why? That might seem like an absurd question…after all we always fuzz. Not really…IMO anyway…let me try and explain.
Lets think of a simple Web App using MSSQL as a DB. Here you would just use ‘ and its variations to say; detect SQL Injection. The purpose of this fuzzing..is largely..to generate errors somehow and get a clue about the structure of the query if you are lucky. Or if you’re not…at least something…to tell you that the app will be vulnerable to SQL Injection. Then you can proceed. Right? If its not this….why fuzz? After all fuzzing isn’t a ‘vulnerability’ by itself..rt? Its a means to uncover “other” vulnerabilities in an application.
Let me take an example to make my point clearer. In a method like Login(username, password) I can check a complete list of usernames to try and get in. What about something like say CreateArticle? For one… I doubt a normal tool would fuzz it…as the only parameter is an object…which has to be set through code. And Burp or Zap …will detect a parameter..yes…but how would you prefill all the object variables? Have a look at the links to the code to understand what I mean.
Taking it one step further…even assuming I build the abuse case on the basis of my unit test that I have already written…the primary aim would be just to detect errors..rt? As in what happens if I set article.metadata.id to a random string? and take it from there. Does it generate any errors? What more can I understand about the app? That’s it right?
And lastly…if there is a method that doesn’t have arguments like TMConfigFile… surely you cant “fuzz” that? Yes you can check if the Reader, Editor or an anonymous user can invoke it… but that’s auth testing. You can’t fuzz it. At least that’s what I think :D. Your thoughts?
p.s… Have I missed something very blatant?