[fuzzing] OWASP Fuzzing page
fthiery at gmail.com
Tue Dec 12 10:08:30 CST 2006
> if you give two people the same pseudocode, will the both write actual
> code that is exactly the same? I dont think they will.
Yeah, right :)
> > as a simple example, if you never fuzz the GET command, then how do
> > > you know that the error handling of that works correctly?
> > One could do it in two steps to save time:
> > - first one, 5 strings fuzz, binary -> error handling
> > - second one, "GET "+long fuzzed strings
> sorry i dont really understand. my point was that the section of code
> that presents the user with a "Invalid Verb" (IIS) error message will
> not be tested by you methods. G\T is valid in this sense, what about
> G^T, etc.
I don't see why a norm-aware fuzzer would'nt try this. Only, the fact that
the fuzzer is norm-aware allows it to understand the data partitioning (for
binary/block data) or text semantics. You test G^T, G*T etc but not
G^Tazoizefioejzfozec.... G*canzoicnazoicnazo... G*cznueczncezeoc....
Using the specs only for data structuration can skip the
data-partitioning-detection phase (if it's not a totally obscure protocol).
if you are not even bothering to attempt to test everything, whats the
> point? Fuzzing is more or less the only testing discipline that this
> applies to (when i say fuzzing i mean input validation)
You do test everything, but with steps.
> I looked everywhere about automatic protocol RE machine learning-based
> > implementations, didn't find any. Structure redonduncy detection,
> > recognition, statistical analysis (not sure about which data mining
> > to choose)... Any papers / skills / examples / links out there?
> I havent found any either. all my stuff is my own - i am the only
> person i know working like this.
Do you publish your work? I'd be interested in the approach you're taking.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the fuzzing