Include fuzzy testing in DAST
Problem to solve
DAST provides attacks against applications at runtime. This is done via HTTP requests that try to spot vulnerabilities that are not discovered by static analysis.
Fuzzy testing increase chances to get results by using arbitrary payloads instead of well-known ones. This allows to trigger uncommon and specific paths and increase the attack surface.
ZAP (the tool we currently use for DAST) can be used as a fuzzer.
Add fuzzy testing funcionalities to our DAST tool.
Specifically for ZAP, analyze if the existing module can be enabled and which are the requirements (probably active test mode).
We also need to evaluate which is the running time, since fuzzing could be very time consuming.
This is a list of software that we can consider when implementing GitLab fuzzing features.
- American Fuzzy Lop: open-source
- Beyond Security beSTORM: COTS with multiple protocol support similar to Peach or Synopsys
- ForAllSecure MAYHEM: startup from DARPA Cyber Grand Challenge
- Google OSS-Fuzz: Google hosted service/framework for evaluating open source projects
- Grammatech CodeSonar: specifically the binary analysis/decompiler functionality which is part of their SAST
- libFuzzer: open-source
- Microsoft binskim: lightweight scanner that checks binary attributes and compiler settings
- Microsoft Security Risk Detection: SaaS delivery of binary analysis
- OpenRCE Sulley: open-source
- Peach Tech Peach Fuzzer: COTS
- Radamsa: open-source
- Rogue Wave CodeDynamics: debugger with dynamic analysis for python and C/C++
- Synopsys Defensics: COTS with multiple protocol support similar to beSTORM or Peach
- Trail of Bits Manticore: open-source
- Cluster Fuzz - https://github.com/google/clusterfuzz
Artillery has a plugin to do fuzzing: https://artillery.io/docs/plugin-fuzzer/
Other tools available in https://www.owasp.org/index.php/Fuzzing#Fuzzing_tools.
What does success look like, and how can we measure that?
DAST reports more vulnerabilities because of fuzzy testing.