Application Fuzzing with Mu Studio

July 13, 2010 by kowsik

Fuzzing has in the past mostly been relegated to protocols and file formats. With the huge surge in mobile apps, cloud applications, virtualization and social gaming, not to mention a RESTful API for everything these days, the challenge becomes generating fuzz tests rapidly for these applications. This is not just for the actual services, but also for the application-aware systems that are getting smarter by the day. We now have Deep Packet Inspection, Application Identification and a host of new technologies that allow firewalls and UTM’s to inspect application flows for compliance, QoS and access control.

Question is how do you effectively test the security and resiliency of these systems? To paraphrase Yoda:

yoda.jpg

Conform to specifications, does not
Test you must, now
Wait for the test tool vendor, no longer

Enter Mu Studio

We launched Mu Studio a while back that can automatically transform packets into parametrized transactions. The result of this transformation is what we call a scenario which is equivalent to VU Scripts from Mercury Interactive (now part of HP) or BPEL for Web Services. The big difference though, scenarios can span layers, have multiple transports, dynamic variables and ports, complex field structures (ASN, XML, JSON), etc. It’s a level higher than packets and allows us to replicate the transactions faithfully. The rule of thumb for Mu Studio is:

  • What is sent can be parametrized (data-driven testing)
  • What is received can be asserted on (validate application state)

That said, the replication and transformation automatically identifies application state, usernames, passwords, etc and complex field types in the transactions. All this means is we do the heavy lifting so you can just start testing.

Fuzzing RESTful API’s

Okay, this is just to prove a point of what we can do. Recently, someone uploaded a packet capture of an iPhone Twitter exchange on pcapr.net. By simply uploading this capture into Mu Studio, here’s what we get:

twitter-call-graph.png

Notice that Studio automatically mapped out the transaction, though this one is fairly simple. At this point, we can pretty much point this Studio towards twitter.com and we can tweet! Cool huh?

Okay, how about fuzzing? Since Studio identified that the response is XML, it automatically generates a pile load of fuzz test cases that are XML-oriented. These include: entity recursion, malformed attributes, buffer overflows, missing attributes and elements, etc. For this particular transaction, that’s about 60,000 test cases (variant =~ 10 test cases)!

variants.png

Real, realistic, stateful, yawn

Every single test tool out there that can import in a packet capture will talk about real, realistic, stateful, really-real, trust-me-it’s-real and so on. Question is, can these tools:

  • Tweet?
  • Make a phone call?
  • Send an SMS?
  • Order a movie online?

while also allowing you to test the application-aware infrastructure in the middle? And just so you know, even though the input packet capture is over IPv4, Mu Studio can tweet over IPv6 just as well and generate the fuzz test cases over IPv6. Need SSL? Yup, got it.

So if you want to do security and resilience testing of applications (custom, proprietary or otherwise), check out Mu Studio.

Categories: Fuzzing, IPv6, Studio, Testing
1,199 Comments
Bookmark and Share