Book Review: Fuzzing | Brute Force Vulnerability Discovery
The good stuff starts in the second part of the book on, “targets and automation.” The chapter on “web application and server fuzzing automation” has some interesting ideas I hadn?t considered. I also liked the chapters on network protocol fuzzing on Windows and UNIX.
Throughout the book it shares tools, code and examples available for download from the fuzzing.org website. I have been working a lot recently with Samurai Web Testing Framework Live-CD creating some video tutorials, that I hope to release soon, and I used some of the examples in the book. I also played with a little C# and created the generic fuzzing tool that was given in the book. I am adding some features to work in a few class activates I would like to implement.
Overall I think the book is great for anyone that is in development, system administration or pen-testing. I learned a lot and I think others would to, but be warned this book is intense. I spent about 8 or 9 weeks with this book because every time I learned something new I wanted to try it out.
If you have read this book or others like it I would like to read your comments.
There are 3 Comments to "Book Review: Fuzzing | Brute Force Vulnerability Discovery"
Not a huge fan. There are other, better books on this topic. The parts about file fuzz testing were weak. The parts about network protocol fuzz testing were decent, especially about ProxyFuzzer, but still left me wanting a lot more. The parts about web applications were especially weak.
I think cleartext network protocol fuzz testing is just too basic anyways, and that’s why Sulley, Peach, and SPIKE are fun but ultimately boring tools. You find a few bugs, and then you get the vendor to fix them.
What I’m most curious about is more intense file fuzz testing such as found in SEEAS or even PaiMei. Or crypto protocol dissection using Universal Hooker. Even then, fuzz testing can get really old, really fast. Too bad vendors don’t think so.
Which parts of this book did you like and why? I’d be curious to hear you go a bit deeper than only the chapters that you thought were interesting. What exactly did you learn?
@Andre Gironda: I think that you and I had different expectations for this book. I was looking for more of a “text book” and you seem to have wanted more a “professional reference.” From the way the book never really went into any great detail, I would say it was targeted for the classroom not the cubicle.
Because of reading Fuzzing I have started to get back into RCE again. I was getting pretty good with IDA and SoftIce in pre-Y2K. Then I got sidetracked into networking. I have some experience with everything you mentioned except SEEAS. That is new and I will need to Google that when I have time. Know where I can find PaiMei by the way? OpenRCE points to Google Code and Google Code points back to OpenRCE. I am trying to get build up my web application testing skills and the networking protocol fuzzing because it’s another way to look at something I have been doing for over 10 years with respect to networking.
As far as what parts of the book I liked and why? That’s kind of tough. Because I read a lot of books and usually a few at once I guess it?s the ADD in me. So when I hit a wall and want to try something out I get lost along the way. Then I discover something cool and go off in another direction. I eventually come back once my curiosity is satisfied.
I do like for example when they show you how to build your own fuzzer, WebFuzz in C# and they use it for examples throughout the chapter. I have been playing with C# off and on and started again. I?m lucky to have a peer at the college I work with, who is a software engineer and recently he has been doing a lot of work with HTTP and C#. So he is someone I can get into details with over things like this. I?m trying to learn more about the WebClient and TcpClient classes to in C# too. I like to know how things work.
Since CompuWare killed SoftIce while I was away, I am getting more into OllyDbg. I just learned a couple months ago about all the plug-ins for IDA. I even setup a VM of XP Pro 32-bit just for RCE projects I have planned. I have been using IDA and OllyDbg in one of my classes for a couple years, to find vulnerabilities and write exploits, but I only know enough to do the demos and help my students use it in lab.
I finally got motivated to checkout PyDbg which I have read a lot about but never really understood all the potential it could be used for like modifying threads and memory.
This was the first book I have read about Fuzzing. I know a ton of sources exist online about fuzzing but this was my first stop. Learning about the different frameworks, like Peach, was also informative. Again it gave me things to search for and questions to ask.
I can admit that it wasn’t so much the content in the book that was so great, but the fact that it provided snippets of information that would get me to stop and go search to learn more. Going through the archives on your blog has the same effect. :P
If you can think of a few good books I should read, I would like to hear about them. I appreciate your comments and feedback.
You have to svn checkout from Google Code:
svn checkout http://paimei.googlecode.com/svn/trunk/ paimei-read-only
Also, check out Chapter 10 “Code Coverage and Fuzzing” in Syngress’ Open Source Fuzzing Tools, written by Charlie Miller.