Fuzz testing or fuzzing is a software/application testing technique used to discover coding
errors and security loopholes in software, operating systems, or networks by inputting
massive amounts of random data, called fuzz, to the system in an attempt to make it crash.
Fuzzers work best for problems that can cause a program to crash, such as buffer overflow,
cross-site scripting, denial of service attacks, format bugs, and SQL injection. Fuzzer helps
to generate and submit a large number of inputs supplied to the application for testing it
against the inputs. This will help us to identify the SQL inputs that generate malicious output.
Suppose a pen tester knows the underlying structure of the database used by the application
(i.e., name, number of columns, etc.) that she is testing. Which of the following fuzz testing
she will perform where she can supply specific data to the application to discover
vulnerabilities?
A.
Clever Fuzz Testing
B.
Dumb Fuzz Testing
C.
Complete Fuzz Testing
D.
Smart Fuzz Testing
D ecsa v8 page 613
D-Smart fuzz testing
The correct answer is “D” : Smart Fuzz Testing.
[Fuzz Testing]
-Dumb Fuzz Testing:In this testing arbitrary data is supplied to the application to find out vulnerabilities in the application.
-Smart Fuzz Testing:If one knows the underlying structure of the database used by the application (i.e., name, number of columns, etc.) then he can supply specific data to the application to find out the vulnerabilities.