Twitter	LinkedIn
Facebook	YouTube
Email	Newsletter

Test Methodologies
How-to Guides
White Papers
Data Sheets

Application Fuzzing

Are you being as realistic as possible when testing network equipment? Does that include testing with application fuzzing techniques? Once the realm of security auditors, application fuzzing now provides enormous benefits to anyone conducting performance and security testing of network devices.

Application Fuzzing Overview

Application fuzzing occurs when a piece of software intentionally sends out data containing injected errors. The reason someone would want to send error-filled data to themselves is that invalid data is better at exposing the rarely tested parts of an application and putting it through its paces. Application fuzzing has long been part of the security auditors' toolkit, but more and more network administrators are beginning to use fuzzing as part of their normal QA process.

Application Fuzzing Testing Overview

BreakingPoint application fuzzing is supported by the Security component in the form of special Security Strikes. Each fuzzer Strike typically targets a specific data value or packet type and tries a multitude of different values in turn. The goal is to provide malicious data, or to provide so much data that something will break in order to show the user where to focus bug-fixing efforts.

Inserting bad data means strings usually get filled with lots of quotes, null characters or other special character sequences in order to try to make the application fail. Integer data types usually get hit with a list of commonly special values like powers of two.

Application Fuzzing Resources

Custom Fuzzers with BlockFuzzer How-to Guide

BreakingPoint Labs: Fuzzing the Routing Information Protocol (RIP) and Bringing Clarity to Application Fuzzing

BreakingPoint Application Fuzzing Testing Capabilities

The BlockFuzzer Strike in BreakingPoint Elite can take any Super Flow and iterate over each of its protocol fields while fuzzing each of them. This is only a small sample of the output for a given run of BlockFuzzer. The number of different output fuzzer values for each field (e.g. “GET”) can reach up to 1,000. Combine this with the number of fields in a Super Flow, and the total number of outputs can grow quite large very quickly. Fuzzing a single HTTP Get request flow could easily surpass 100,000 requests at runtime.

In one example, a new application fuzzing Strike is created that makes use of BreakingPoint Elite's Application Simulator protocols and an unlimited number of user defined Super Flows. The BlockFuzzer Strike is responsible for loading Application Simulator features from within the Security component. The Application Manager user interface is used to build up a simulation flow using a Flash-based user interface to select protocol actions. The Strike can then be selected and configured to run with Attack Manager.

Request a Personalized Demonstration

To learn more about BreakingPoint Application Fuzzing with a BreakingPoint expert, sign up for your demonstration today.

Solutions

10 Gigabit Testing

Application Load Testing

Application Fuzzing

Cloud Computing Testing

Cyber Simulation

DPI Testing

Firewall Testing

IPS Testing

IPv6 Dual Stack Testing

Network Traffic Generation

Resiliency Testing

Security Testing

Server Load Testing

Virtualization Testing

Application Fuzzing

Application Fuzzing Overview

Application Fuzzing Testing Overview

Application Fuzzing Resources

BreakingPoint Application Fuzzing Testing Capabilities

Request a Personalized Demonstration