Imagine that you are asked to test a web application. You decide to first look at the application to get an idea of what it does and how. The login page. You try to put yourself in an attacker’s shoe. How would he try to gain access to our application through the login page. One of things that come to your mind is
– He may try to guess for easy userIDs and passwords
The big corporation that has hired you is, let’s say, Abcxyz Inc. The web application is the HR portal of Abcxyz Inc. So, possible user names can be the names of people working there. You are able to find the names of, let’s say, 33 people working in Abcxyz Inc by googling. In addition to this, you also want to try out various versions of ‘admin’, ‘root’ etc. In the end, you have a list of more than 100 user IDs. For each of these users you decide to try out as many possible passwords as you can. You remember that your friend told you something about a ‘password dictionary’. You google it and find a list of possible passwords that you feel will fit your target application. The password dictionary that you have chosen has over 2000 passwords.
As you go about doing all this, you realise it is impossible for you to manually try out all these combinations. This is where something called a ‘fuzzer’ can help you. The fuzzer can take your two lists – user ID, password – and feed the following to your HR portal:
– user1, password1
– user1, password2
…
– user1, password-N
…
– user-M, password-N
Owasp defines fuzzing as “Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.”