Software Testing Class

Fuzz Testing (Fuzzing) in Software Testing

Introduction

Fuzz testing, also known as fuzzing is a well-known quality assurance testing that is conducted to unveil coding errors and security loopholes in the software, networks, or operating systems.

Fuzz testing is an automated or semi-automated testing technique which is widely used to discover defects which could not be identified by traditional functional testing methods. It involves providing invalid input data or massive random data (known as fuzz to the system) in order to test the system with an attempt to crash it or failing the built-in code of the software under test. If a vulnerability is detected, then fuzzer is a software tool which is used to identify potential causes. Fuzzers know to work the best for identifying vulnerabilities which are prone to be exploited by buffer overflow, DOS (Denial of Service), SQL injection and cross-site scripting. Such schemes are often exploited by hackers with an intent to wreck the systems after compromising their security. Fuzz testing is often not much effective in dealing with security threats which do not cause program crashes i.e. viruses, spyware, Trojans, and keyloggers.

Fuzz testing concept is the brainchild of Barton Miller who developed it at the University of Wisconsin in 1989. Fuzz testing falls under the category of Security testing. Such security testing aims at providing high benefit-to-cost ratio as it is capable to unveil serious defects which can be easily overlooked during writing and debug software application. Fuzz testing helps to provide the complete picture of the overall system security, its quality, and effectiveness which cannot provide any room for hackers to show their miracles. Fuzz testing is often used in conjunction with beta testing, black box testing and other well known debugging methods to deliver the best results.

 

Fuzz Testing in Software Testing

 

Advantages of Fuzz Testing:

The following are the advantages of the Fuzz testing.

 

Fuzz Testing Steps:

The following are the testing steps for the fuzz testing.

 

Testing strategy for fuzz testing:

The following are the testing strategies which are applied to the software application.

 

Types of defects detected by Fuzz Testing:

The following are the types of defects detected by Fuzz Testing.

 

Fuzz Testing Tools:

Given below is the description of commonly used Fuzz Testing tools.

Fuzz Tool Description
Peach Fuzzera Peach Fuzzer is a Fuzzer tool that provides more robust and secured coverage than a scanner. It enables testers to detect known as well as unknown threads.
Spike Proxy Spike Proxy is a professional grade Fuzzer tool which helps to lookup application-level vulnerabilities especially in the web applications. It covers SQL Injection and cross-site-scripting vulnerabilities. It is completely based on open Python infrastructure. It is available for Linux and Windows platforms.
Webscarab Webscarab is a Fuzzer tool which is written in Java, as a result, it is portable to many platforms.  It is used to analyze web applications for vulnerabilities which communicate using HTTP and HTTPS protocols.
Burp Burp is a Fuzzer tool which is used as a security tool for Java-based web application. It helps in identifying vulnerabilities such as buffer overflow, cross-site scripting, SQL injection, etc. against Java-based web applications.
OWASP WSFuzzer WSFuzzer is a GPL’d program which is written in Python. GPL’d a program currently targets Web Services for Fuzz testing. OWASP WSFuzzer has the current version that targets HTTP based SOAP services.
AppScan AppScan is a Fuzzer tool that helps to scan and test all common web application vulnerabilities such as SQL-Injection, Cross-Site Scripting, Buffer Overflow, etc.

 

Conclusion

In this article, we discussed Fuzz testing, its utility and commonly used Fuzzer tools description. Fuzz testing is used to identify the most common vulnerabilities. It makes sure that application is more secure and robust. Using this won’t make your application completely defect free, but shows the presence of the bugs in the application under test.

Exit mobile version