Fuzzing TM Webservices…fuzzing anything..?

Well…since we now have a lot of clarity on what the various methods in TM do, Dinis suggested, that instead of waiting to complete ALL 123…lets start fuzzing using my unit tests as a base or using Burp or Zap proxy. I said yeah cool… The trouble began soon after when Mr. Mind started thinking..How? and … even more importantly…Why? That might seem like an absurd question…after all we always fuzz. Not really…IMO anyway…let me try and explain.

Lets think of a simple Web App using MSSQL as a DB. Here you would just use ‘ and its variations to say; detect SQL Injection. The purpose of this fuzzing..is largely..to generate errors somehow and get a clue about the structure of the query if you are lucky. Or if you’re not…at least something…to tell you that the app will be vulnerable to SQL Injection. Then you can proceed. Right? If its not this….why fuzz? After all fuzzing isn’t a ‘vulnerability’ by itself..rt? Its a means to uncover “other” vulnerabilities in an application.

Let me take an example to make my point clearer.  In a method like Login(username, password) I can check a complete list of usernames to try and get in. What about something like say CreateArticle? For one… I doubt a normal tool would fuzz it…as the only parameter is an object…which has to be set through code. And Burp or Zap …will detect a parameter..yes…but how would you prefill all the object variables? Have a look at the links to the code to understand what I mean.

Taking it one step further…even assuming I build the abuse case on the basis of my unit test that I have already written…the primary aim would be just to detect errors..rt? As in what happens if I set article.metadata.id to a random string? and take it from there. Does it generate any errors? What more can I understand about the app? That’s it right?

And lastly…if there is a method that doesn’t have arguments like TMConfigFile… surely you cant “fuzz” that? Yes you can check if the Reader, Editor or an anonymous user can invoke it… but that’s auth testing. You can’t fuzz it. At least that’s what I think :D. Your thoughts?

p.s… Have I missed something very blatant?

This entry was posted in UnitTests, WebServices. Bookmark the permalink.

3 Responses to Fuzzing TM Webservices…fuzzing anything..?

  1. Romich says:

    Well, I agree with you and not exactly. Fuzzing and any automated testing for that matter is used to exchange accuracy for time. In other words, when testing for SQL injection for example, there is a number of things the filter on the app side can filter against. Yet there could be one little thing that the developer forgot about, and that is your way in. When testing manually you may see some errors that will lead you to this vuln, however you may need to spend a significant amount of time trying to get there, even to deduce that it is there in the first place. When you fuzz, its like a carpet bomb you try different things that are already known in the hope that you hit a target. So both are really necessary unless you have all the time in the world 🙂

    • Thanks Roman. I do understand the speed/accuracy tradeoff. Where I would like a little help is on how to decide, what you fuzz..and when? Now for example you have a method GetUserById(userid) … which is a number. Now if you fuzz this…what strings would you use?

      a) You could try huge numbers and non existent user IDs to see how the app behaves
      b) Random alphanumeric strings or strings with special characters to try and force errors out of the application

      Again..I do understand what FuzzDB or any other tool does but my question is .. what is the maximum that you can hope to achieve by fuzzing GetUserById(userId)?..apart from the above?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s