I. Description
The concept involves two "fuzzy" when universities themselves feel very vague. Is a school database appear "fuzzy search", then gradually clear means of like sql statement; the other is learning that occurs when specialized courses "fuzzing."
The concept is to understand, is nothing more than "fuzzing is a software testing technique, its core idea is to generate automatic or semi-random data is inputted to a program, and the monitoring program exceptions, such as a crash, the assertion (the assertion) fails, to identify possible procedural errors, such as memory leaks. "
This definition may be very accurate, but people do not come into contact with the still very vague. I do think there is a knowledge of the problems, like to say a very simple thing complicated then just do not tell you what in the end yes. What a fine example of what a great responsibility, "the company system-wide physical security commissioner" Introducing professional matter how sacred, "the world of Internet information terminals and Human Information Science and Information Integration Application mentor" which involves highly technical matter, is not directly call security and network management not even think you have a photo.
Two, fuzzing defined
Fuzzing (fuzz testing, fuzzing) is a software testing technique. Its core idea is to generate automatic or semiautomatic input random data into a program, and the monitoring program exceptions, such as a crash, the assertion (the assertion) fails to detect possible bugs, such as a memory leak. Fuzz testing is often used for security vulnerability detection software or computer system.
We use this definition Wikipedia, and then focus on to talk about "random data" looks like, and how to "enter into another program."
Third, the test case
3.1 test category
Random data word with too broad a little irresponsible, random data that is not my number from 0 to infinity each have a large measure what, there was always some instructive test case categories it.
Buffer overflow Class test: long string. For example, when hundreds of a, can be longer as long as they feel long enough on the line. Long strings need not generally be equivalent to a string of a string b to what to twenty-three slightly larger difference in length of the test line.
Random test cases: a lot of configuration values supported by the system is fixed, such as screen only supports 1080p 1081p system that we can be able to deliberately set wrong. Negative floating point number, respectively, to a large test rate on the line.
Test case format string:% d,% s and other symbols are formatted with the guidance in many languages, if used as an input may lead to error. Changzhangduanduan casually to a few test cases on the line.
Test special characters:! ~ @ # $%, And so symbolic in many languages there is a special meaning, as input may cause an error. Preferably each character are of different lengths and to a test case.
unicode encoding test cases: Some programs do not support unicode, unicode input may cause an error. % Uxxxx and other varying lengths to several test cases.
3.2 test case constructor
We begin with http, for example, it is similar to other application layer protocol can generate test cases. First, following a http request packet
GET /index.php
Host: www.baidu.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Cookie: BAIDUID=DE7A3603AFE90C7C9B7848944652D535:FG=1; BIDUPSID=DE7A3603AFE90C7C9B7848944652D535; PSTM=1525757648; BD_UPN=13314352; __cfduid=d557d51bf4d18d86c9c3ad0df8f78186b1526712772; MCITY=-%3A; ispeed_lsm=2; sug=3; sugstore=1; ORIGIN=0; bdime=0; H_PS_PSSID=; delPer=0; BD_CK_SAM=1; PSINO=2; BDSVRTM=0; pgv_pvi=3566222336; pgv_si=s6214074368 Connection: keep-alive Upgrade-Insecure-Requests: 1
---- test cases make use of individual "control of variables" test, such as measuring head Host head is necessary to maintain the other normal data, so as to affect the value of the other header Host header effect.
A number of individual test cases and test cases ---- contrast, because some items are related, there may be a need for a particular value before starting another effect, so to generate a number of test cases linked. For example, and also modify the Accept header Accept-Encoding.
The characters do not have to distinguish between similar rule: As mentioned above such figures 0-9, az Such letters are the same, it is not necessary to measure a test to go the other.
Do not have too small a length rule: length as described above or such things, a few selected representative length of the line 100 is not necessary for a test, a test length of 101.
3.3 Test template
Earlier we said that the test case generation method, but how to use it or how the test is applied to test it on the target software?
As we are in the 3.2 to intercept a packet, modify the value of the generated test case on this basis. General Test (do not manage ordinary test or penetration test) is not going to force the software ripped a hole to test, the test is the interface of the system and of the value of the interface in order to make changes to the generated test cases to be test.
For example, all web access request or api interface is test case template.
The difference between 3.4 fuzzing and web scanner
fuzzing is to be tested by the three points to generate test cases.
In fact, the nature of web scanner also through the use of test cases to identify problems, but web vulnerability scanner using a specific test cases, such as on the use of measured sql sql injection test cases, test xss xss on the use of test cases. Sql two such test is as follows:
# 测试用例1 union select user,password,authentication_string from mysql.user; # 测试用例2 union/**/select/**/user,password,authentication_string/**/from/**/mysql.user;
Therefore fuzzing and scanner web is still relatively clear distinction, of course, also normal overlap.
Fourth, the fuzzing tool
4.1 automatic fuzzing tool bed
bed is fully automated protocol fuzzing tool various requests for FTP / SMTP / POP / HTTP / IRC / IMAP / PJL / LPD / FINGER / SOCKS4 / SOCKS5 other protocols and fuzzing request header using not complicated on several parameters.
I carried out bed -s http -t 192.168.220.1 probably spent an afternoon on the local http server.
4.2 Semi-automatic fuzzing tool burpsuite
bed only on request standard protocols, standard head fuzzing, the subject of the post such as http custom is not fuzzy measure, but in fact this part is what we want to test the main part, so simply relying on the bed is not enough.
burpsuite the intruder is a highly configurable fuzzing function, as long as the intruder set the variable and then set up a test case in the payloads can fuzz.
4.3 Semi-automatic fuzzing frameworks spike / sulley
To use burpsuite subject tool, one might use too unhappy, and the second is to be output fuzzy test results to the environment in other code is not suitable, so we need to type the code framework.
spike hear is the originator of automation frameworks, but incomplete documentation.
sulley spike is an imitation of an automated distribution frame, which INSTALL.txt after installation instructions for download on github (https://github.com/OpenRCE/sulley.git) can be installed according to their instructions. Some windows do a very complex program did not depend on the success of the installation to give up on it very important that kali vtrace (vdb) sites were shut so I really did not install but below the code can be run successfully (probably only because vdb Some features will be used only to use what function did not go to the tube).
Python2 on sulley is essentially a written program, we need to do is in its second development on the so-called secondary development of more specific is to open sulley project, the writing program like normal python2 write their own test code and then save it as py file, and finally run the py file. Code examples are as follows:
# -*- coding: utf-8 -*-
from sulley import *
# 规范而言将此部份存到requests文件夹下,比如存为ftp_ability.py再通过以下语句导入进来
# from requests import ftp_ability
# user等既不是变理也不是函数也不是类所以没法直接import进来,但s_get函数会自动去查找不用担心
# 定义一个名为user的模糊测试模版
s_initialize("user")
# s_static指定此部份固定字符串
s_static("USER")
# s_delim指定此部份为非字母字符,且重复次数任意
s_delim(" ")
s_static("ftp")
s_static("\r\n")
# 定义一个名为pass的模糊测试模版
s_initialize("pass")
s_static("PASS")
s_delim(" ")
s_static("ftp")
s_static("\r\n")
# 定义一个名为stor的模糊测试模版
s_initialize("stor")
s_static("STOR")
s_delim(" ")
# s_string指定此部份为需要进行模糊测试的字符串,测试时sulley该部份替换为各类测试用例类
s_string("AAAA")
s_static("\r\n")
# session用于发送测试用例
sess = sessions.session()
# 这步可以理解为与目标端建立网络连接
target = sessions.target("192.168.220.1", 21)
# 设定本次测试使用的网络连接
sess.add_target(target)
# 单独使用user测试模版进行测试
sess.connect(s_get("user"))
# 先发一个依据user模板生成的数据包,再发送一个pass模板生成的数据包进行测试
sess.connect(s_get("user"),s_get("pass"))
# 先发一个依据pass模板生成的数据包,再发送一个stor模板生成的数据包进行测试
sess.connect(s_get("pass"),s_get("stor"))
# 使用上边配置开始进行模糊测试
sess.fuzz()
项目在ide中的组织如下,其实就只是将上方代码在sulley项目目录下保存成ftp_fuzzing_test.py然后运行
Test screenshot wireshark partial packet intercepted user generated template, the first space can be seen repeated at different times in accordance with the generated test case template:
More syntax description can be found: https://fuzzinginfo.files.wordpress.com/2012/05/introducing_sulley.pdf
4.4 manual written fuzzing tool
Use frames, although one is in general use less code to achieve better fuzzing, but that there are two costs is necessary to learn the syntax, the second is to do a mounting frame sometimes very complex.
In front of the kind we have clear test case, then if not very complicated, not as simply write their own from scratch fuzzing tool.
Examples of self-realization: https://www.cnblogs.com/lsdb/p/10958933.html
reference:
https://zh.wikipedia.org/wiki/%E6%A8%A1%E7%B3%8A%E6%B5%8B%E8%AF%95