Fuzzing has in the past mostly been relegated to protocols and file formats. With the huge surge in mobile apps, cloud applications, virtualization and social gaming, not to mention a RESTful API for everything these days, the challenge becomes generating fuzz tests rapidly for these applications. This is not just for the actual services, but also for the application-aware systems that are getting smarter by the day. We now have Deep Packet Inspection, Application Identification and a host of new technologies that allow firewalls and UTM’s to inspect application flows for compliance, QoS and access control.
Question is how do you effectively test the security and resiliency of these systems? To paraphrase Yoda:
|
Enter Mu Studio
We launched Mu Studio a while back that can automatically transform packets into parametrized transactions. The result of this transformation is what we call a scenario which is equivalent to VU Scripts from Mercury Interactive (now part of HP) or BPEL for Web Services. The big difference though, scenarios can span layers, have multiple transports, dynamic variables and ports, complex field structures (ASN, XML, JSON), etc. It’s a level higher than packets and allows us to replicate the transactions faithfully. The rule of thumb for Mu Studio is:
- What is sent can be parametrized (data-driven testing)
- What is received can be asserted on (validate application state)
That said, the replication and transformation automatically identifies application state, usernames, passwords, etc and complex field types in the transactions. All this means is we do the heavy lifting so you can just start testing.
Fuzzing RESTful API’s
Okay, this is just to prove a point of what we can do. Recently, someone uploaded a packet capture of an iPhone Twitter exchange on pcapr.net. By simply uploading this capture into Mu Studio, here’s what we get:

Notice that Studio automatically mapped out the transaction, though this one is fairly simple. At this point, we can pretty much point this Studio towards twitter.com and we can tweet! Cool huh?
Okay, how about fuzzing? Since Studio identified that the response is XML, it automatically generates a pile load of fuzz test cases that are XML-oriented. These include: entity recursion, malformed attributes, buffer overflows, missing attributes and elements, etc. For this particular transaction, that’s about 60,000 test cases (variant =~ 10 test cases)!
Real, realistic, stateful, yawn
Every single test tool out there that can import in a packet capture will talk about real, realistic, stateful, really-real, trust-me-it’s-real and so on. Question is, can these tools:
- Tweet?
- Make a phone call?
- Send an SMS?
- Order a movie online?
while also allowing you to test the application-aware infrastructure in the middle? And just so you know, even though the input packet capture is over IPv4, Mu Studio can tweet over IPv6 just as well and generate the fuzz test cases over IPv6. Need SSL? Yup, got it.
So if you want to do security and resilience testing of applications (custom, proprietary or otherwise), check out Mu Studio.


Pingback: Twitter Trackbacks for Mu Dynamics Research Labs » Blog Archive » Application Fuzzing with Mu Studio [mudynamics.com] on Topsy.com
Pingback: Prestashop Templates
Pingback: cool caravans
Pingback: Business Card Design
Pingback: best guest beds
Pingback: Buy Facebook Fans
Pingback: Olly
Pingback: young women's clothing
Pingback: Adult Acne
Pingback: guaranteed rankings
Pingback: Dallas Video Production
Pingback: Vacations in Siesta Key
Pingback: bodybuilding supplements
Pingback: Fusion Reactors
Pingback: best bcaa
Pingback: Hometown Buffet Coupons
Pingback: Low Cost Cruises
Pingback: LED Lights
Pingback: tanie noclegi zakopane
Pingback: SATNAV
Pingback: muay thai Thailand
Pingback: Best Logos
Pingback: solihull dental surgery
Pingback: starting a cleaning business
Pingback: uzaktan egitim
Pingback: cheap Twitter followers
Pingback: best over the counter sleep aid
Pingback: drug rehab Florida
Pingback: Sullair Air Compressor
Pingback: Himalaya holidays
Pingback: work at home scams
Pingback: here
Pingback: photographer in Oxfordshire
Pingback: Alvin Blog
Pingback: website design
Pingback: project payday review
Pingback: bingo cards for kids
Pingback: hypnosis weight loss
Pingback: erotic stories
Pingback: Flower delivery in Sri Lanka
Pingback: Jennifer Ellison nuts
Pingback: noclegi zakopane
Pingback: Low Cost Payday Loans
Pingback: what is serotonin
Pingback: Buy Electronic Cigarette In
Pingback: hugeyield
Pingback: Jamel Retz
Pingback: female pain during intercourse age
Pingback: fire pit screens
Pingback: playhouses
Pingback: Squidoo lenses
Pingback: Scientific Calculator
Pingback: nikon d5000 review
Pingback: Scott Tucker Payday Loans
Pingback: Scott Tucker Racing
Pingback: Scott Tucker Racing
Pingback: Scott Tucker Racing
Pingback: Scott Tucker Racing
Pingback: Scott Tucker CBS
Pingback: click here
Pingback: watch super bowl live online
Pingback: SEO Link Monster
Pingback: insurance finance rss news feed
Pingback: BPO Software
Pingback: Scott Tucker CBS
Pingback: Scott Tucker CBS
Pingback: Scott Tucker CBS
Pingback: REO Companies
Pingback: broker price opinion
Pingback: lipo 6 side effects
Pingback: electric cigarette
Pingback: steven cymbrowitz
Pingback: tattoo for eyebrows Melbourne
Pingback: fitness boot camp
Pingback: ecommerce seo
Pingback: natural remedies for cold sores
Pingback: smoothie recipes
Pingback: athletesacceleration.com - speed training - sports training
Pingback: football speed
Pingback: backyard aquaponics
Pingback: Build Good Credit
Pingback: tarot gratis
Pingback: maryland short sale attorney
Pingback: Air Conditioning Repairs
Pingback: chris murray
Pingback: mobile tracking device
Pingback: Robert Shumake
Pingback: free cam porn
Pingback: resume
Pingback: waxless skis
Pingback: Jim Larkin
Pingback: goal crazy
Pingback: Online Sales Lead Generation
Pingback: los angeles independent escorts
Pingback: What is Social Media Marketing
Pingback: www.houseinsurancerates.com
Pingback: Scott tucker
Pingback: Scott Tucker Racing
Pingback: Scott Tucker CBS
Pingback: Scott Tucker Racing
Pingback: certified personal trainer
Pingback: justbeenpaid restart
Pingback: zeekler contact
Pingback: Poles and Rails
Pingback: Targeted Fans
Pingback: Samsung Galaxy S2
Pingback: document solutions
Pingback: DUI lawyer Albuquerque
Pingback: best restaurants websites
Pingback: Video Presentations
Pingback: photographie immobiliere Montreal
Pingback: individual health insurance minnesota
Pingback: Chattanooga parking
Pingback: seo link monster
Pingback: www.hostswamp.com
Pingback: Atlanta Jobs
Pingback: adt security toronto
Pingback: Paras laihdutus
Pingback: St Lucia jazz
Pingback: Atlanta Jobs
Pingback: Web Design Ventura