Yes! Finally I’ve managed to start fuzzing and have some code over here if you want to quickly jump there without reading my fun stories ;). There’s a sample XML file too if you want to take a look at the output. Right. So let me quickly explain, what progress has been made; and the logic behind it.
I posted recently about a query I had wrt fuzzing and Dinis had a B-) post up explaining a lot about it. You should read those first before you come here. So, effectively, you fuzz because you want to try and make the application misbehave. Somehow. Many a time, you don’t know which attack payload will trigger something and how. But you still fuzz. Because, that, precisely is the point. If you knew what to do, and which payload worked, in advance, wouldn’t you rather try that manually? After all, that gives you more control. That’s not possible; so we fuzz.
So I now had to fuzz all 103 methods for which I’d written Unit tests. So the first thing I did was to find out which methods were NOT fuzzable at all; in other words – they did not take any user input as arguments. If I can’t pass user data, I can’t pass attack payloads; = No fuzz. I added a new sheet [Fuzzing_Exceptions_thrown] to our Auth tracking Google Doc coz I didn’t want to clutter the original one up. It contains only those methods which have at least 1 argument, controlled by a user. There’s other columns there; but those are self explanatory so maybe you should take a look yourself? 🙂
Now, the interesting thing in fuzzing these methods is that, there are a few methods which will take ONLY a number or a 32 bit GUID as an argument. The moment you send a ‘non number’ or tamper with a single bit of the GUID, an exception is thrown. Take a look at the GetFolderStructure_Library row for an example. So now, this means that there isn’t ANY point in trying to fuzz these methods where there’s just 1 argument which has a ‘tight data type’ with other strings to test for SQL Injection or XSS. You will continue to receive the same errors again and again irrespective of what attack vector you use. So the number of fuzz strings are lower.
I tried to group all similar methods which used only a number or a GUID together; all of this can be eliminated straight away; from a fuzzing perspective. Just those few strings and we’re done. All of this is present in the Google Doc linked above. I also wrote a little fuzzer for the GetFolderStructure_Library method which I linked right at the top of the post; and do so again here :). That’s it for now. Cya later.