Nick Sieger: RubyConf: Zed Shaw: Fuzzing http://blog.nicksieger.com/articles/2006/10/21/rubyconf-zed-shaw-fuzzing en-us 40 do what you love RubyConf: Zed Shaw: Fuzzing <h2>What is Fuzzing?</h2> <ul> <li>Throw random stuff at an app until it breaks, with maliciously crafted inputs. It&#8217;s the randomness, stupid.</li> <li>Creating a model for an attack</li> <li>Sampling, survival analysis and mean-time-between-failures (MTBF)</li> </ul> <h2>Limitations</h2> <ul> <li>Shallow &#8211; errors come right away, but then few and far between</li> <li>Not smart</li> <li>Not always needed</li> </ul> <h2>Disadvantages</h2> <ul> <li>Destructive &#8211; don&#8217;t do it against your production system!</li> <li>Potentially expensive</li> </ul> <h2>Advantages</h2> <ul> <li>Fun making developers go insane</li> <li>Finds bugs even in closed source software</li> <li>Easy to do when you have the right tools</li> <li>Excellent for regression/load/DDOS/pen testing</li> <li>Large existing base of tools (links from Zed&#8217;s site)</li> </ul> <h2>Demo/Usage</h2> <ul> <li>Designed to be a simple data container for all the HTTP objects, so you can easily store and replay requests</li> <li>Randomness engine (RC4 cipher) generates random bytes, numbers, chars, base64, etc.</li> <li>Data collection (ten runs of ten samples, spits out .csv files)</li> <li>Session management (dump cookie management)</li> <li>Rails security test (see also <a href="/articles/2006/08/15/security-threat-last-week">my post on this subject</a>)</li> <li>Chunked encoding test</li> <li>Mongrel test suite &#8211; test GET vs. PUT to see if there is any difference in performance between the two methods</li> </ul> <h2>Other Ideas</h2> <ul> <li>Random ruby scripts from a grammar</li> <li>Automatic random AR fixtures</li> <li>Thrash functions for unit tests</li> <li>Random thrashing of other protocols</li> <li>Release RFuzz&#8217;s HTTP client separately as an alternative to <code>net/http</code></li> <li>Hpricot and RWB inclusion</li> <li><a href="http://utu.devjavu.com/">Utu</a> &#8211; HCI research to see if it&#8217;s possible to measure how programmers interact</li> </ul> Sat, 21 Oct 2006 02:51:38 +0000 urn:uuid:14460f4d-1fbb-4a14-b91b-7ed22d4e7973 Nick Sieger http://blog.nicksieger.com/articles/2006/10/21/rubyconf-zed-shaw-fuzzing rubyconf rubyconf2006 http://blog.nicksieger.com/articles/trackback/81