Thursday, May 26, 2011

Book Review - "Open Source Fuzzing Tools" by Gavi Evron

"Open Source Fuzzing Tools" is written by Gavi Evron and does an excellent job providing a broad range of tools used for fuzzing and their basic usage. There is even a chapter that walks you through building your own file fuzzing tool in perl.

Some specific points that I learned from this book:
- There are (at least) three flavors of fuzzing: 1)File fuzzing- where you create malformed files used by the application. 2) Network fuzzing - network traffic used by the application are malformed and sent and 3) Library fuzzing - calling libraries directly with malformed input.
- The more you know about the workings of the application, the better you can tune your fuzzer to generate malformed data.
- The more you know about assmebler, compilers, bytecode, and TCP/IP, the better. These are the building-blocks for fuzzing.

It's possible to run many of these tools, such as wsfuzzer, without a deep understanding of the application and the underlying technologies, but the more you know, the better you are able to understand the output and take appropriate action.

No comments: