What is webapp fuzzing? How is it used in testing web services?
Web app fuzzing is a method of locating bugs utilizing automation by sending an extensive range of invalid and unforeseen data into an application and then keeping track of any exceptions; this can grant users a unique view of the application’s security and structure allowing them to possibly locate an exploitable bug or error due to a system crash or memory leak. I find web app fuzzing similar to performing an engine leak-down test using compressed air and an air pressure gauge inserted in place of a spark plug; by forcing air into the engine, any issues with seals, valves, or other parts that should be air-tight can appear (Li, 2020).
Web app fuzzing can be utilized in testing web services for exploits and bugs and can often be much more effective than merely examining code using static code analysis. In static code analysis, the examined code is not live, so seeing how it operates when the web service is running can only be done through methods such as web app fuzzing. In performing web app fuzzing, the first step would be to determine the data entry points, or in other words, how/where data is sent by users as input into the application. Next, one must figure out what data they would like to feed to the system, such as SQL and XSS payloads; it helps if these contain abnormal encodings or characters and are large enough to cause errors in processing (Li, 2020).
Once data points and the payload are figured out, the next step would be sending the fuzz payload list to the system’s entry points; this process can be performed using automated tools such as the BurpSuite Intruder and OWASP ZAP Fuzzer. Finally, like any executable in programming, the results need to be monitored and thoroughly documented. The server’s response to the payload, any patterns found, errors located, and even the time it takes for the system to process everything provide the clues one needs to gather the necessary intelligence on the web application effectively. Overall, web app fuzzing is an excellent tool for both the offensive and defensive sides of building, testing, and penetrating web applications (Li, 2020).
Simpson, M. T., & Antill, N. (2017). Hands-On Ethical Hacking and Network Defense. Boston, MA. Cengage Learning.
Li, V. (2020, January 26). Fuzzing web applications. Retrieved May 11, 2021, from https://medium.com/swlh/fuzzing-web-applications-e786ca4c4bb6#:~:text=Fuzzing%20is%20a%20way%20of,specific%20purpose%2C%20or%20randomly%20generated.