CCSK

  • 1.  Fuzzing?

    Posted May 25, 2021 01:43:00 PM

    Hello!

    In module 5 of the CCSK training they mention fuzzing when talking about DAST. I was wondering if anyone could provide more information about fuzzing? How does it work? 

    Thanks :)



    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: Fuzzing?

    CSA Instructor
    Posted May 25, 2021 06:28:00 PM
    Edited by Guillaume Boutisseau May 25, 2021 06:29:15 PM
    In short,  fuzzing consists in feeding an application with various types of wrong or bad/poisonous data and see if it takes it or if it breaks, which would point to bugs and vulnerabilities in the application code.


    Owasp has more here : https://owasp.org/www-community/Fuzzing .


    ------------------------------
    Guillaume Boutisseau
    CCSK Authorized Instructor , CCSP
    ------------------------------



  • 3.  RE: Fuzzing?

    CSA Instructor
    Posted May 25, 2021 06:48:00 PM
    Here is my understanding.
    Fuzzing and Blackbox test are DAST, but the difference is the following:
    Blackbox test is done without the knowledge of the application code logic. Vulnerability scan and penetration test are the BlackBox tests.
    Fuzzing tests with the knowledge of the code logic. Fuzzing can test if bugs are exist in the application code  itself.

    Regards,
        - Morozumi

    ------------------------------
    Masahiro Morozumi
    Executive Director
    CSA Japan Chapter
    ------------------------------