
	Where results make sense

Topic: Fuzz testing

Related Topics

Goat Punishment

Jack Robson

Merstham

In the News (Wed 15 Feb 12)

EXECUTIVE POWER

Iran

ANALYSIS

Pakistan

Family compact

	Fuzz Testing of Application Reliability
		Fuzz testing a simple technique for feeding random input to applications.
		While random testing is a time-honored technique, our approach has three characteristics that, when taken together, makes it somewhat different from other approaches.
		As a result of the first two characteristics, fuzz testing can be automated to a high degree and results can be compared across applications, operating systems, and vendors.
	www.cs.wisc.edu /~bart/fuzz/fuzz.html (429 words)

	Fuzz testing (Site not responding. Last check: 2007-09-17)
		Fuzz testing is a simple technique that can have a profound effect on your code quality.
		The trick of fuzz testing is that it isn't logical: Rather than attempting to guess what data is likely to provoke a crash (as a human tester might do), an automated fuzz test simply throws as much random gibberish at a program as possible.
		Fuzz testing is a crucial tool for identifying real errors in programs, and one that all security-aware and robustness-oriented programmers should have in their toolboxes.
	www-128.ibm.com /developerworks/java/library/j-fuzztest.html (2826 words)

	Fuzz Testing
		Fuzz testing is thought to enhance software security and software safety because it often finds odd oversights and defects which human testers would fail to find, and even careful human test designers would fail to create tests for.
		However, fuzz testing is not a substitute for exhaustive testing or formal methods: it can only provide a random sample of the system's behavior, and in many cases passing a fuzz test may only demonstrate that a piece of software handles exceptions without crashing, rather than behaving correctly.
		Thus, fuzz testing can only be regarded as a proxy for program correctness, rather than a direct measure, with fuzz test failures actually being more useful as a bug-finding tool than fuzz test passes as an assurance of quality.
	www.vyomworld.com /testing/fuzztest.asp (920 words)

	Test Early » Fuzz testing
		“Fuzzing” is a concept that has been in use for many years, mostly with in-house testing departments, and its effectiveness can have a profound effect on your code quality.
		In a recent IBM DeveloperWorks article, Elliotte Harold presents this testing technique for hardening applications against unexpected input - and shows what happens when he deliberately injects random bad data (aka fuzz) into an application to see what breaks.
		The main problem with fuzzing to find program faults is that it generally only finds very simple faults, but curiously, this testing technique seems to find defects that are not found by other techniques.
	www.testearly.com /2006/10/05/fuzz-testing (155 words)

	OWASP Testing Guide Appendix C: Fuzz Vectors - OWASP
		Fuzzing is the "kitchen sink" approach to testing the response of an application to parameter manipulation.
		Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet.
		Replacive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value.
	www.owasp.org /index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors (739 words)

	Debian GNU/Linux: The Complete Documentation
		We tested the reliability of 135 command-line UNIX utilities and thirty graphical applications on Mac OS X by feeding random input to each.We report on application failures – crashes (dumps core) or hangs (loops indefinitely) – and, where source code is available, we identify the causes of these failures and categorize them.
		Our testing crashed only 7% of the command-line utilities, a considerably lower rate of failure than observed in almost all cases of previous studies.We found the GUI-based applications to be less reliable: of the thirty that we tested, only eight did not crash or hang.
		Fuzzing is mostly used to uncover security bugs, however, it can often also be used to spot bugs that aren’t security critical but which can non-the-less improve robustness.
	www.l0t3k.org /programming/docs/fuzzing (1019 words)

	FuzzTesting - The Ethereal Wiki
		Fuzz testing Ethereal will create random or semi-random capture files, fed them into Ethereal/Tethereal and observes the "response".
		Please include the fuzzed capture file to the bug report, so the bug can be easily reproduced by others.
		A convenient and effective way to do fuzz tests is to run fuzz-test.sh on your personal collection of capture files.
	wiki.ethereal.com /FuzzTesting (670 words)

	ActiveX Security: Improvements and Best Practices (Windows IETechCol)
		Penetration testing includes, but is not limited to, denial of service, stress testing of all network interfaces and fuzz testing of all file formats used by the control.
		This kind of testing requires a high volume of test cases, with many variations and mutations in the data that you test the control with.
		The objective of fuzz testing is not to ensure that your control acts in an expected manner on the invalid data but to ensure that your control acts in a safe manner when given invalid data.
	msdn.microsoft.com /library/en-us/IETechCol/cols/dnexpie/activex_security.asp?frame=true (5830 words)

	LWN: Fuzz testing
		While it is not specifically a fuzzer, one must mention Metasploit, the swiss army knife of penetration testing, which provides a framework for all kinds of exploit testing.
		Researchers at the University of Central Florida are trying to take fuzzing a step further by using information about what portions of the code were exercised by various inputs and whether they led to program crashes to drive a genetic algorithm that 'optimizes' for inputs that are likely to cause crashes.
		Fuzzing can be used to find all kinds of security issues with a program: buffer overflows, SQL injection, cross-site scripting, denial of service, etc.
	lwn.net /Articles/200225 (1183 words)

	Introduction to Unit Testing
		If you're writing your test suite and thinking about how to achieve maximum coverage, one way to do it is to look at the source for your class while you're writing the test suite and go through every method and branch.
		This way the test groups aren't dependent on each other and a failure in one small area of the test suite won't randomly break a bunch of tests that should work.
		This way, if, say, the name equality test is broken, we will know exactly what went wrong, because the "same names, different types" test will fail if the name test is broken to return false negatives, and the "different names, same types" test will fail if the name test is broken to return false positives.
	www.zevils.com /~matthewg/writings/unit-testing-lecture/notes.html (1479 words)

	An Empirical Study of the Robustness of Windows NT Applications Using Random Testing
		Fuzz is invoked from a command line; it does not use a GUI so that our interactions with the tool do no interfere with the testing of the applications.
		The outcome of each test was classified in one of three categories: the application crashed completely, the application hung (stopped responding), or the application processed the input and we were able to close the application via normal application mechanisms.
		While random testing is far from elegant, it does bring to the surface application errors, as evidenced by the numerous crashes encountered during the study.
	www.cs.wisc.edu /~bart/fuzz/fuzz-nt.html (5304 words)

	How do you test? - O'Reilly ONJava Blog
		Fuzz testing article, by Elliotte Harold explains how to create test data for your tests.
		In fuzz testing, you attack a program with random bad data (aka fuzz), then wait to see what breaks.
		As all these articles imply, code testing is all about balance of your time and effort to provide quality code and certainly no silver-bullet solution will help you with this.
	www.oreillynet.com /onjava/blog/2006/10/how_do_you_test.html (930 words)

	FuzzTesting - The Wireshark Wiki
		Fuzz testing Wireshark will create random or semi-random capture files, fed them into Wireshark/TShark and observes the "response".
		One convenient way to do this is through fuzz testing.
		If possible, please use a SVN version of Wireshark for the fuzz testing and report any bug(s) you find.
	wiki.wireshark.org /FuzzTesting (846 words)

	[No title]
		Testing to determine that the results generated by the enterprise's information systems and their components are accurate and the systems perform to specification.
		Scripted testing means that learning and test design happens prior to test execution, and quite often the learning has to be done again during test execution.
		Some have developed their own automated testing environments specifically for internal development and not for resale.¡ÎPÎªÍ óMI¨Metricsª ¨~By measuring how many bugs are found and comparing them to predicted numbers (based on past experience with similar projects), certain assumptions regarding the effectiveness of testing can be made.
	www.massey.ac.nz /~tsrichar/157212/Wk8_Lec1_and_2.ppt (1866 words)

	FuzzingTools - ThreatMind
		There is now a fuzzing mailing list started by Gadi Evron that you might want to subscribe to.
		Fuzz testing has application as a security research methodology and for software quality assurance purposes.
		It has been designed for minimizing set-up time during fuzzing sessions and it is especially useful for fast testing of proprietary or undocumented protocols.
	www.scadasec.net /secwiki/FuzzingTools (1801 words)

	Fuzz home page (Site not responding. Last check: 2007-09-17)
		The reason for this is that I wanted to test more kinds of software and I wanted the tool to be more automatic.
		My version of fuzz is supposed to transcend the original fuzz program used to prepare the original fuzz paper.
		The fuzz generator is designed to attack certain kinds of software and expose one particular kind of bug common in software.
	fuzz.sourceforge.net (532 words)

	Fuzz Testing - Hacksafe Security - penetration testing, new tools, vulnerabilities, exploits and patches.
		A test harness, also referred to as a test driver or a test framework, allows you to run many test cases and collect/report your results.
		Fuzzing is a powerful tool for cheaply cranking out inputs which will break your web application in unexpected ways.
		Fuzzing with JBroFuzz can take place on any part of a socket request by means of specifying one or more generators.
	www.hacksafe.com.au /blog/category/fuzz-testing (921 words)

	BizTech: Online Exclusive: Secure Testing Policies
		By fuzz testing all the file formats your app consumes and the “parser per” format and network protocols with man-in-the-middle techniques, you’ll provide a “sanity check” of code before release.
		Fuzzing means creating malformed data and having the app under test consume the data to see how it reacts.
		Fuzzing is aimed at exercising code that analyzes data structures — loosely referred to as parsers.
	www.biztechmagazine.com /article.asp?item_id=193 (1045 words)

	Hybrid Security Testing — Beyond Source Code Analysis
		To increase the reliability of security testing results, developers are finding that security testing should be a combination of analysis techniques — utilizing source code analysis information to direct a second, more practical approach called dynamic analysis.
		In the security testing field, trusting the inferred results of source code analysis is analogous to trusting that an application will function according to design when it compiles cleanly.
		During security testing, a source code analysis product might be able to identify the potential of a cross-site scripting vulnerability by finding un-validated inputs or poor session handling--if the particular language and compiler is supported.
	www.spidynamics.com /spilabs/education/articles/dynamic-analysis.html (833 words)

	Agile Testing
		Even though the Google testing team says that 'Life is too short for manual testing' (and I couldn't agree more with them), they hasten to qualify this slogan by adding that automated testing frees you up to do more meaningful exploratory testing.
		This is also a good example of why unit tests are not sufficient; you need to exercise your application as a whole via functional/integration/system testing (here's a good concrete example why).
		In the Python testing world, we are fortunate to have a multitude of unit test tools, from the standard library unittest and doctest to tools and frameworks such as py.test, nose, Testoob, testosterone, and many others (see the Unit Testing Tools section of the PTTT for more details).
	agiletesting.blogspot.com (8578 words)

	Software Quality Assurance & Software Testing Resouce Center
		Testing is a process used to help identify the correctness, completeness and quality of developed computer software.
		One definition of testing is "the process of questioning a product in order to evaluate it", where the "questions" are things the tester tries to do with the product, and the product answers with its behavior in reaction to the probing of the tester.
		Although most of the intellectual processes of testing are nearly identical to that of review or inspection, the word testing is connoted to mean the dynamic analysis of the product—putting the product through its paces.
	www.vyomworld.com /testing (271 words)

	Java Testing ToolsSoftware QA & Software Testing Information Resources
		Intent is to allow fine-grained continuous testing of all files making up an application: source code but also meta-data files (such as deployment descriptors, etc) through an in-container approach.
		Testing framework by Timothy Wall provides automated event generation and validation of Java GUI components, improving upon the very basic functions provided by the java.awt.Robot class.
		Framework for developing automated testing of Java Swing-based applications at the UI layer (as opposed to testing at lower layers, for which JUnit may be sufficient).
	www.softwaretestingadvice.com /jtools.php (1220 words)

	Fuzz - AOL Music
		Fuzz testing or fuzzing is a software testing technique that provides random...
		The great advantage of fuzz testing is that the test design is extremely...
		A fuzzbox (or fuzz box) is a type of stomp box comprising an amplifier and a clipping...
	music.aol.com /artist/fuzz/530254/main (115 words)

	CUTE: A concolic unit testing engine for C and Java
		CUTE (a Concolic Unit Testing Engine for C and Java) is a tool to systematically and automatically test sequential C programs (including pointers) and concurrent Java programs.
		The idea of concolic testing is to use the symbolic execution to generate inputs that direct a program to alternate paths, and to use the concrete execution to guide the symbolic execution along a concrete path.
		In one of our experiments, CUTE was used to automatically test SGLIB, a popular C data structure library used in a commercial tool.
	osl.cs.uiuc.edu /~ksen/cute (547 words)

	Software Testing Interview Questions - eisn.net
		During recording qtp looks at the object and stores it as test object.For each test object QT learns a set of default properties called mandatory properties,and look at the rest of the objects to check whether this properties are enough to uniquely identify the object.
		An outPut value is a value captured during the test run and entered in the run-time but to a specified location.
		External actions are read-only in the calling test, but you can choose to use a local, editable copy of the Data Table information for the external action.
	www.qatest.co.in /qtp.php (1836 words)

	Case Study: Scorpion Software Saves Money and Frees Staff with TestComplete
		One of the weaknesses in their old manual test process was that it was prone to break when staff would rush to get things fixed and shipped.
		This test is then used by the developer to not only reproduce the issue, but to ensure that the fix passes the test.
		TestComplete is a comprehensive test automation solution with integrated support for a wide range of both internal and UI based testing.
	www.automatedqa.com /techpapers/scorpion_case_study.asp (2043 words)

	FirefoxSummit/2006/ProposedSessions/FuzzTesting - MozillaWiki
		Fuzz testing is the art of creating "random" but interesting input to a program.
		For example, someone wanting to test an HTML parser might feed it thousands of horribly invalid HTML files.
		But someone testing code that displays SVG would want to use well-formed XML, only using SVG tags and attributes in random combinations and sometimes in invalid ways.
	wiki.mozilla.org /FirefoxSummit/2006/ProposedSessions/FuzzTesting (161 words)

	PythonTestingToolsTaxonomy - Cheesecake - Trac (Site not responding. Last check: 2007-09-17)
		unit test framework, used most notably by TurboGears; provides an alternate test discovery and running process for unittest, one that is intended to mimic the behavior of py.test as much as is reasonably possible without resorting to too much magic.
		This information is then used to ensure that tests will break if there is a discrepancy between the interface supported by your stub class and that of the real class it stands in for.
		Although not properly a part of testing tools, continuous integration tools are nevertheless an important addition to a tester's arsenal.
	pycheesecake.org /wiki/PythonTestingToolsTaxonomy (1959 words)

	antiparser (Site not responding. Last check: 2007-09-17)
		The purpose of antiparser is to provide an API that can be used to model network protocols and file formats by their composite data types.
		Each specific instance of permuted data may then be saved to a file and loaded at a later time for replay if required.
		This provides an easy means of organizing the results of a particular fuzz test.
	antiparser.sourceforge.net (195 words)

Try your search on: Qwika (all wikis)