Alex - stock.adobe.com
Web applications are attractive targets for criminal hackers eager to access the underlying data stored on an organization's site, and by extension, the company's internal network. Web fuzzing enables security teams -- and malicious hackers -- to discover what weaknesses or vulnerabilities exist within a web application.
What is web fuzzing?
At its core, fuzzing is an automated method designed to see how an application handles strange inputs -- those outside of what it expects.
For example, imagine you are on a shopping website and add a few items to your cart. You go to the checkout page, which displays the total price of the items. As you click to complete the order, you capture the outgoing web request in a proxy -- a tool that sits between your browser and the website you visit and enables you to see, and potentially modify, all the data being sent. The price is visible as a parameter within the outgoing request and can therefore be altered. The application won't necessarily expect alterations to the price field. If you change it, the application might accept the change and you can pay whatever price you want. You can also see what would happen if you replace numbers with letters and symbols or send the app commands designed to crash the system.
Web fuzzing helps conduct proper testing and detect malicious attacks. Ethical hackers focused on bug bounty programs use fuzzing to identify vulnerabilities. Since there are so many possible pages, parameters and inputs, even well-tested applications can be vulnerable to unusual inputs.
Organizations should build web fuzzing into their internal software development lifecycle. This enables programmers to identify and remediate vulnerabilities as early and cost-effectively as possible.
How hackers use web fuzzing
Fuzzing can cause applications to behave in strange and unexpected ways, potentially producing errors that enable a skilled hacker to launch an SQL injection, cross-site scripting (XSS) or buffer overflow attack. In response, the application might generate error messages, take too long to respond or crash. Even though most applications have built-in defenses designed to combat XSS by sanitizing certain inputs, web fuzzing gives hackers the opportunity to attempt any number of combinations to undermine those barriers.
Fuzzing is usually an automated attack, with hackers employing tools equipped with large numbers of fuzzing inputs, which are then inserted into every parameter on every page of the web app. The more pages and parameters an application has, the more time it takes. A new generation of AI-driven fuzzing tools lets hackers sharply reduce the time needed to attack a site.
Web fuzzing advantages and disadvantages
Web fuzzing has several advantages. Security teams or developers can test all applications before making them available to the public. A fuzzer discovers bugs as it inputs a variety of data and sees how the application responds. Web fuzzing also improves the security and stability of applications. Since it's automated, fuzzing makes it easier to discover issues with an application. Once done, the security team or developer reviews the results and makes the necessary changes.
The main disadvantage of fuzzing is that it can often take a long time, depending on an application's complexity. Understanding and using fuzzers can also require specialized knowledge, which makes testing an application a much more difficult undertaking.
Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.