This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP NZ Day 2020-Training-Introduction to Fuzzing

From OWASP
Jump to: navigation, search


Introduction to Fuzzing

Half-Day Interactive Training -- OWASP New Zealand Day 2020

Abstract

Fuzzing techniques enable the detection of vulnerabilities such as buffer overflows, integer overflows, format string vulnerabilities, and use-after-free. This workshop gives the audience a detailed overview of blind, input based fuzzing.

Course Details

Dates: Thursday, 20 February 2020

Time: 8:45 a.m. to 12:30 p.m.

Course Fee: NZ $325.00 (plus EventBrite fees)

Registration Site: https://owaspnz2020-training.eventbrite.com

Attendees Should Bring:

Attendee are required to bring system with root/admin privilege with minimum 8GB RAM, with VirtualBox or VMware installed.

Instructor: Dhiraj Mishra

Instructor's Organization: Cognosec

Course Overview

Intro to Fuzzing - The fundamentals of fuzzing, understanding why fuzzing is needed and how to make the process of fuzzing efficient.

Smart Fuzzing - We will look at using american fuzzy lop (AFL), which demonstrates the process of compile-time instrumentation. We will understand the color code in AFL, process timing, stages, findings, yields, path geometry and stability. We will integrate address sanitizer (ASAN/MSAN), which helps in identifying address and memory corruption bugs, making the process smarter.

Triage Analysis - We look at PoCs generated by AFL during the fuzzing process, attaching it to the actual binaries to see how they handle the inputs.

In intro to fuzzing we will discuss and understand all parts to a successful fuzzing and why it’s needed, understanding various fuzzers and setting up the environment.

We will move ahead and start with AFL, understating the installation part. Also, we will quickly have a look on AFL key components which is, process timing, stages, findings, yields, path geometry and stability. We have created certain vulnerable binaries from which we will demonstrate overflows using AFL and analyzing the targets, crashes and hangs which gets generated by AFL, we will continue talking about blackbox fuzzing approach using AFL.

After that we will move ahead and start with smart fuzzing where we will integrate ASAN with AFL, but before that we will give a brief understanding about ASAN and MSAN and how it is used to detects the run-time bugs during the compilation of a binary.

In end we will give small exercises to students to gets hands-on, on what they have learned so far and clear their doubts. We will quickly wrap up our workshop by discussing about how they can leverage this knowledge against the bug bounty programs and then show casing multiple bugs which we found during our research.

Your Instructor

Dhiraj Mishra - Dhiraj is an active researcher and speaker, who has discovered multiple zero-days in modern web browsers. He is also an active open source contributor. His work can be found on www.inputzero.io.

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_NZ_Day_2020-Training-Introduction_to_Fuzzing&oldid=256440"