Fuzzing Machine By Nikolaj Tolkačiov.

Slides:

Advertisements

Similar presentations

The Ultimate Troubleshooter TUT July 26, 2005 Lorain County Computer Computer Users Group Users Group.

Advertisements

Legal Meetings: Extended Instructions on Movica and Screencast.

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Pubman and Selenium tests. What is Selenium Selenium is a suite of Web application test automation tools for any browser on any operating system –Firefox,

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Using the Windows Event Viewer and Task Scheduler Chapter 5.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Technology Round 7 Exploring I.C.T. in the Syllabus.

Desktop and Mobile Testing Miroslav Shtilianov QA Engineer Automated Testing Team Telerik QA Academy

CONTENTS:-  What is Event Log Service ?  Types of event logs and their purpose.  How and when the Event Log is useful?  What is Event Viewer?  Briefing.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

The Operating System. Operating Systems (F) What you need to know about –operating system as a program; –directory/folder.

Ch 11 Managing System Reliability and Availability 1.

Windows Server MIS 424 Professor Sandvig. Overview Role of servers Performance Requirements Server Hardware Software Windows Server IIS.

Computer Concepts 2014 Chapter 7 The Web and .

Copyright © Texas Education Agency, All rights reserved.1 Web Technologies Web Administration.

Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>>

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

1 Web Server Concepts Dr. Awad Khalil Computer Science Department AUC.

Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.

Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.

Software Testing Life Cycle

Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.

1 SWE 513: Software Engineering Usability II. 2 Usability and Cost Good usability may be expensive in hardware or special software development User interface.

CIM6400 CTNW (04/05) 1 CIM6400 CTNW Lesson 6 – More on Windows 2000.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

JavaScript is a client-side scripting language. Programs run in the web browser on the client's computer. (PHP, in contrast, is a server-side scripting.

Web Programming: Client/Server Applications Server sends the web pages to the client. –built into Visual Studio for development purposes Client displays.

 2001 Prentice Hall, Inc. All rights reserved. 1 Chapter 21 - Web Servers (IIS, PWS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3.

Windows Vista Inside Out Chapter 22 - Monitoring System Activities with Event Viewer Last modified am.

Unit – I CLIENT / SERVER ARCHITECTURE. Unit Structure  Evolution of Client/Server Architecture  Client/Server Model  Characteristics of Client/Server.

Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.

Automated Scheduling and Operations for Legacy Applications.

Web Automation Testing With Selenium By Rajesh Kanade.

Pubman and Selenium tests. What is Selenium Selenium is a suite of Web application test automation tools for any browser on any operating system –Firefox,

RUBRIC IP1 Ruben Botero Web Design III. The different approaches to accessing data in a database through client-side scripting languages. – On the client.

Vinay Paul. CONTENTS:- What is Event Log Service ? Types of event logs and their purpose. How and when the Event Log is useful? What is Event Viewer?

Introduction to Taverna Online and Interaction service Aleksandra Pawlik University of Manchester.

Mantid Stakeholder Review Nick Draper 01/11/2007.

Testing in Android. Methods Unit Testing Integration Testing System Testing Regression Testing Compatibility Testing Black Box (Functional) White Box.

| imodules.com Top 10 FAQ in Application Support Kelly Schmiedeler & Amber Quayle.

ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.

JavaScript 101 Introduction to Programming. Topics What is programming? The common elements found in most programming languages Introduction to JavaScript.

Accounting in DataGrid HLR software demo Andrea Guarise Milano, September 11, 2001.

MIS Week 5 Site:

Computer Operating Systems And Software applications.

6/14/20161 System Administration 1-Introduction to System Administration.

1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.

SQL Database Management

Development Environment

Operating System Concepts

Web Concepts Lesson 2 ITBS2203 E-Commerce for IT.

Software Architecture in Practice

Chapter 2: System Structures

THE OPERATION SYSTEM The need for an operating system

Software Quality Assurance

Bomgar Remote support software

Exploring the Power of EPDM Tasks - Working with and Developing Tasks in EPDM By: Marc Young XLM Solutions

JavaScript & jQuery AJAX.

Communications & Computer Networks Resource Notes - Introduction

The role of the test organization in a Security Sensitive project

A Scripting Server for Domain Automation Tasks

Web Servers (IIS and Apache)

Web Application Development Using PHP

Presentation transcript:

Fuzzing Machine By Nikolaj Tolkačiov

Agenda What is web application fuzz testing Introduction to “Fuzzing Machine” What results it produces Youtube setup in “Fuzzing Machine” How it can be used in other projects

What is web application fuzz testing?

Description for fuzzing I Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. Source: OWASP

Description for fuzzing II Fuzzing or fuzz testing is a software testing technique, often automated or semi- automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is a form of random testing commonly used to test for security problems in software or computer systems. Source: Wikipedia

Fuzzing types Application fuzzing File format fuzzing Protocol fuzzing ...

Introduction to “Fuzzing Machine”

Fuzzing Machine Fuzzing Machine is a dedicated hardware and software setup to perform fuzzing on web applications for extended amount of time and with reporting capabilities. Core setup consists of: Dedicated PC Task Scheduler SMTP service (SendGrid) PowerShell

Concept for fuzzing web application Launch web browser. Navigate to the page where you want to start fuzzing. Begin fuzzing. Wait. Collect logs (Optional). Rinse and repeat.

Demo

What results it produces?

Possible artifacts Error logs in server side logging. Error logs in client side logging. Screenshots when error occur. Video recording of fuzzing in progress. Bug traces to follow in application performance monitoring tools.

Possible artifacts example 00:43:42 SEVERE: https://tpc.googlesyndication.com/sadbundle/$csp%3Der3$/13707944800532712673/images/Exp_Big.png - Failed to load resource: the server responded with a status of 404 () 02:00:41 SEVERE: chrome-extension://pkedcjkdefgpdelpbcmbmeomcjbeemfm/cast_sender.js - Failed to load resource: net::ERR_FAILED 02:03:41 SEVERE: https://www.youtube.com/share_ajax?action_get_share_info=1&feature=player_embedded - Failed to load resource: the server responded with a status of 400 () 04:33:42 SEVERE: https://www.youtube.com/yts/jsbin/player-en_GB-vflzvBT66/base.js 54:13 Uncaught TypeError: Cannot read property 'prototype' of undefined 02:13:42 SEVERE: https://www-opensocial.googleusercontent.com/gadgets/rpc/rpc.v.js 22:16 Uncaught TypeError: Cannot read property 'register' of undefined 09:23:42 SEVERE: https://content.googleapis.com/youtubei/v1/account/accounts_list?alt=json&key=AIzaSyBkrqhJXxYjHdAvok - Failed to load resource: the server responded with a status of 401 () 07:23:42 SEVERE: https://youtubei.youtube.com/youtubei/v1/log_interaction?alt=json&key=AIzaSyAO_FJ2SlqUTE_Y9_11qcW8 - Failed to load resource: the server responded with a status of 400 () 12:43:42 SEVERE: https://www.youtube.com/ad_companion?adformat=2_2_1&p=UCXiNIx&render=video_wall_companion&content=jZR-1svUs 74:6 Uncaught ReferenceError: yt is not defined 16:43:42 SEVERE: https://www.youtube.com/yts/jsbin/www-en_US-vflZkT0AY/base.js 715:402 Uncaught TypeError: Cannot read property 'startsWith' of undefined 02:08:41 SEVERE:https://ad.atdmt.com/i/img;adv=11112202503514;ec=11112202508902;adv.a=101108;c.a=817825;s.a=860385;p.a=2577404;as.a=2577404;a.a=17847527; cache=%7BCACHEBUSTER%7D;https://ad.atdmt.com/i/img;adv=11112202503514;ec=11112202508902;adv.a=101108;c.a=817825;s.a=860385;p.a=2577404;as.a=2577404;a.a=17847527; cache=%7BCACHEBUSTER%7D;?rnd=45473 - Failed to load resource: the server responded with a status of 404 () 03:23:41 SEVERE: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6219811747049371&output=js&adk=511001906&adf=3383700283& loeid=9422596%2C9%0349%%2C20040077 &num_ads=1&channel=pyvhome%2Bhitchhiker%2Bpyv-top-right-homepage%2Bpyv-top-right-homepage-us%2Bytdevice_1%2B4311047448%2Bpyvhome_LT%2Blogged-out%2Bpyvhomeinshelf&ad_type=text&ea=0&flash=24.0.0&hl=en&url=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCOpNcN46UbXVtpKMrmU4Abg&wgl=1&pyv=1&dt=1489195243538&bdt=2941&idt=198&shv=r20170308&cbv=r20170110&saldr=sb&correlator=8312176288284&frm=23&ga_vid=911827537.1489195244&ga_sid=1489195244&ga_hid=1023032743&ga_fc=0&pv=2&iag=3&icsg=10&nhd=1&dssz=4&mdo=0&mso=0&u_tz=120&u_his=3&u_java=0&u_h=900&u_w=1600&u_ah=860&u_aw=1600&u_cd=24&u_nplug=5&u_nmime=7&biw=1583&bih=794&isw=300&ish=110&ifk=919813956&eid=40509013&oid=3&loc=EMPTY&top=https%3A%2F%2Fwww.youtube.com%2Fchannel%2FUCOpNcN46UbXVtpKMrmU4Abg&rx=0&eae=2&fc=16&brdim=0%2C0%2C0%2C0%2C1600%2C0%2C1600%2C860%2C300%2C110&vis=1&rsz=o%7Co%7Cpr%7C&abl=NS&ppjl=u&fu=4180&bc=1&ifi=1&dtd=259 - Failed to load resource: the server responded with a status of 400 ()

Bugs likely to find with fuzz testing Null pointer exceptions Application crashes Unexpected combinations as input Server and client side validation issues

Youtube setup in “Fuzzing Machine”

Recipe for fuzzing 1 webdriver-manager 1 protractor 1 Gremlins.js 9 lines of JavaScript for fuzzing commands 1 cup of code for navigating and logging errors to file 3 scheduled jobs to keep it running 24/7 11 lines of Command Prompt lines to archive logs 14 lines of power shell scripts to send email with attachment 1 SendGrid account for email sending purpose

Step 1

Step 2

Step 3

Step 4

How it can be used in other projects?