Don’t let the whimsical name fool you. Fuzzing is a serious process that can help uncover critical, unknown and sometimes weird problems affecting today’s modern, complex applications. Good fuzzing tools can often find hidden ways that programs can be exploited long before they are deployed to the public.
How fuzz testing works
Fuzz testing is an automated process that is almost always employed against completed code. This makes it similar to dynamic application security testing (DAST) tools, which also require programs to be fully compiled. However, DAST tools and fuzzing tools look for completely different things. A DAST tool will scan for vulnerabilities, such as the ability for hackers to use an app to make remote procedure calls or for weak protections surrounding exposed HTTP and HTML interfaces. Fuzzing tools, by contrast, provide unexpected input to an application to find out if doing so will generate weird or unintended results.
One of the easiest ways to envision the kinds of problems that fuzzing uncovers is to think of programs like banking or ecommerce apps that are designed to work with known inputs like integers. For example, in banking, let’s say a program is designed to allow users to transfer money from one account to another. Instead of entering a positive value in the amount field to transfer, a user unexpectantly enters a negative number. How does the program handle this? It might put money into the account instead of sending any out. Or it might generate money that doesn’t exist. With an ecommerce program, what happens when someone tries to put millions or even billions of items into their cart? Will that crash the entire site or provide them billions of free items?
If a programmer has been thoughtful and written tight code, most of those business logic flaws will have already been anticipated. But nobody can think of every situation. Unexpected behaviors don’t just happen when users fool around with numbers in the input fields. What if an attacker sends command line functions into an app, encrypted content, operating system commands or raw code in the same language the app is written?