London software testing news UK

Google and fuzz testing

Posted in security testing,Software testing by testing in London on July 19, 2007

From eweek channel insider

Google’s security team is home-brewing a powerful combination scanner and fuzzing tool that experts say will be unique outside of the commercial domain.

In a posting on the Google security team’s blog, Srinath Anantharaju said on July 16 that the security team has been working on a black-box fuzzing tool called Lemon, in the spirit of the word as it’s used to denote defective products.

Fuzz testing, or fuzzing, is a black-box software testing technique in which malformed data is injected automatically to find implementation bugs in code. In particular, Google is targeting XSS (cross-site scripting) bugs, according to Anantharaju.

As it is, there are numerous open-source fuzzing tools. OWASP (the Open Web Application Security Project) supplies three fuzzers and also hosts links to dozens more, for example.

But Lemon more closely resembles a commercial product in that it not only fuzzes applications but scans them as well. “[Lemon is] not just doing fuzzing through fault injection,” as do other open-source fuzzers, said Danny Allan, director of security research for Web application security software and services firm Watchfire. “[Google] also created a scanner, so [the tool] understands input, and [they’re] fuzzing on top of it. That doesn’t exist in the open-source domain. However, that’s what commercial tools, including Watchfire’s, already do.”

Open-source fuzzers, in fact, can be automated to do “weak” crawling, Allan said, but the combination of the two is “very weak” in open-source fuzz tools now available, he said. “You have to manually point to a particular parameter you want to fuzz. … It looks like they’ve taken it to the next step.”

Used by an organization to find its own security holes, fuzzing is a useful tool, Allan said. But in the hands of an attacker, a fuzzer can become a weapon.

“What they’re building, they’re looking for XSS [flaws],” which is a laudatory goal, Allan said—Watchfire itself has found a few XSS bugs in Google Desktop. “All [XSS bugs] are vulnerabilities. Used by an organization on themselves, that’s a very useful tool. But if I’m a malicious individual, I use it to find vulnerabilities on someone else.”

Scanning and fuzzing in particular is a very powerful combination that, when put into the hands of attackers, could facilitate attacks, he said; the scanner/fuzzer combo doesn’t just spew malicious code arbitrarily—it also knows where to spew it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: