Scribd Logo
Upload

Welcome to Scribd!

  • FUZZ Final

    Uploaded by

    Afza Fathima
    15 views20 pages
    fuzzing web application

    Original Title

    FUZZ-final

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    fuzzing web application

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    15 views20 pages

    FUZZ Final

    Uploaded by

    Afza Fathima
    fuzzing web application

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    FUZ/Z

    ITB4333-DESIGN PROJECT 3

    BY
    VENKATRAMAN (20134018)
    KARUNAKARAN K (20134013)
    PRAVEEN K (20134006)
    HEMANTHRAJU B (20134007)
    AGENDA
    • Introduction
    • Problem Statement
    • Motivation Needed
    • Abstract
    • Scope And Objectives
    • Proposed Work
    • System Requirement
    • Methodology and Design
    • Results
    • Conclusion
    • Future Work
    • References
    INTRODUCTION
    • Fuzzing can take many various forms, each of which is tailored for testing a particular
    application type. 
    • The practise of fuzzing web applications to reveal common web vulnerabilities, such as
    injection problems and others is known as web application fuzzing. 
    • A fuzzer would try combinations of attacks such as SQLI,XXS
    • It involves inputting massive amounts of random data, called fuzz, to the test subject in an
    attempt to make it crash.
    PROBLEM STATEMENT
    • When a web application is being tested for fuzziness, a series of HTTP requests are
    made in order to see how the programme responds to different inputs. 
    • The input generating technologies used by the fuzz testing tool must be supported. 
    • The input generating process is used with several HTTP queries.
    • The tester need HTTP requests that will be sent to the application being tested, as well
    as information on which input generation techniques to apply to specific portions of an
    HTTP request.
    MOTIVATION NEEDED FOR THE PROJECT

    • To protect organizations from danger.


    • To Create a safe environment for user to browser.
    • To protect organiztion from bad actor.
    • User friendly.
    • Reduced False positive where others gives more.
    ABSTRACT
    An essential component of a web application is security. In order to identify vulnerabilities in
    online applications, security testing is required. Fuzz testing is one security testing method. A
    software testing approach known as "fuzzing" involves feeding the application being tested a
    set of erroneous inputs. Typically, a tool conducts fuzz testing. Fuzz testing for web
    applications involves sending a series of HTTP queries to the application under test to
    observe how it responds to different inputs. It would be preferable if web application fuzz
    testing could be automated under specific circumstances. We create a platform and tools for
    web application fuzz testing automation in this study, which can be integrated to Jenkins. The
    programme has undergone testing on websites with known security flaws. The tool can
    successfully identify vulnerabilities in 13 out of 15 test situations. According to the findings,
    the majority of vulnerabilities can be found based on HTTP response information.
    SCOPE & OBJECTIVES
    • As a result of fuzzing's effectiveness in identifying security flaws in web application, every
    untrusted interface of every product must be fuzzed according to the  organization Lifecycle.

    • Use fuzzing while developing web application that might handle unreliable inputs.

    • A method of testing that includes feeding erroneous, unexpected, or random data to a computer
    software.
    LITERATURE SURVEY
    REVIEW 1:

    1. AUTHOR'S NAME : Andrianto, I., Liem, M. M. I., & Asnar, Y. D. W.


    2. JOURNAL TYPE : Web Security
    3. TITLE : Web application fuzz testing
    4. YEAR : 09 February 2021
    5. LIMITATIONS : Couldn't find parameters.

    REVIEW 2:

    6. AUTHOR'S NAME : Li, L., Dong, Q., Liu, D., & Zhu, L.


    7. JOURNAL TYPE : Web Security
    8. TITLE : The Application of Fuzzing in Web Software Security Vulnerabilities Test
    9. YEAR : 13 JUNE 2020
    10.LIMITATIONS : Failed find files.
    LITERATURE SURVEY
    REVIEW 3:

    1. AUTHOR'S NAME : Hao Zhang, Weiyu dong, Jiang


    2. JOURNAL TYPE : Web Security
    3. TITLE : Zokfuzz: Detection of Web Vulnerabilities via Fuzzing
    4. YEAR : 23 November 201
    5. LIMITATIONS : No Multithread processing.

    REVIEW 4:

    6. AUTHOR'S NAME : Zhou, X, & Wu, B.


    7. JOURNAL TYPE : Web Security
    8. TITLE : Web Application Vulnerability Fuzzing Based On Improved Genetic Algorithm
    9. YEAR : 25 April 2020
    10.LIMITATIONS : Very Slow Scanner.
    LITERATURE SURVEY
    REVIEW 5:

    1. AUTHOR'S NAME : Joao Caseirito


    2. JOURNAL TYPE : Web Security
    3. TITLE : Finding Web Application Vulnerabilities with an Ensemble Fuzzing
    4. YEAR : 21 November 2022
    5. LIMITATIONS : 

    REVIEW 6:

    6. AUTHOR'S NAME : Wang Chunlei, Liu Qiang, & Liu Li.


    7. JOURNAL TYPE : Web Security
    8. TITLE : Automatic fuzz testing of web service vulnerability
    9. YEAR : 25 April 2020
    10.LIMITATIONS : 
    OBJECTIVES
    1. Our aim in this activity is to identify potential risks
    2. Identify vulnerabilities before cyber criminals.
    3. Define the level of risk on your web application.
    4. Identify false positive results at an acceptably low rate.
    5. Ability to analyze different Web technologies, such as PHP, ASP.NET, ASP, etc.
    PROPOSED WORK
    1. Developed a User-friendly script with help menu.
    2. This provide the attacker or tester information, where they refine their injection.
    3. Scan for Sub Domains on a web application with available word-file
    4. Scans for Parameters ,files and extensions using payloads which we created 
    5. Displays the scan result on a terminal.
    SYSTEM REQUIREMENT
    • SOFTWARE REQUIREMENT
    Operating System    :    Linux , Windows , osX
    Languages Used    :    Python
    Development Environment    :    Visual Studio Code

    • HARDWARE REQUIREMENT
    Hard Disk :    40 GB SSD
    RAM    :    8 GB RAM
    Processor :    intel 5 3rd gen
    METHODOLOGY & DESIGN
    • The software tool is similar to risk scanners, and can detect sensitive files ,directories and
    sub domains
    • Fuzz scanners is tool that help capture various online issues, such as sensitive files.  
    • Therefore, they ensure the security of the web application by testing and capturing these 
    request is one of the most exploited weaknesses in web use and one of the most widely
    studied.
    SAMPLE CODING
    CONCLUSION
    • Naturally, fuzzing is not a false proof method for finding every bug. 
    • The ability to hack web apps via fuzzing has some restrictions.
    • The server's rate limiting is one of these restrictions. 
    • You might not be able to send the application a lot of payloads during a remote, black-box
    interaction without being discovered by the server or exceeding some sort of rate-limit. 
    • This can result in testing taking longer, or it might possibly get you kicked off the service.  
    FUTURE WORK
    • We aim to integrate more attack plug-ins into the future.
    •  In addition, the functionality of the tool can be improved. 
    • We are also working on setting up a website where the use of fuzz concept can be
    downloaded. 
    • While we know that fuzz scanner may be used for malicious purposes, we feel they can
    assist web application developers in assessing the safety of their system. 
    THANK YOU

    You might also like