Find Unknown Vulnerabilities Using
Total Page:16
File Type:pdf, Size:1020Kb
Find unknown vulnerabilities using INTRODUCTION Fuzz testing, or Fuzzing, is a technique for testing the security and stability of computer programs (applications). Fuzzing is performed by sending malformed data to an application’s input points, for the purpose of causing unexpected behavior, resource leaks or crashes in the application. A fuzzer will also stress the application with unexpectedly high workloads in order to test its robustness. A typical fuzzer generates random or semi-random, specially crafted data of different varieties Generational-based fuzzers build input based on certain specifications or formats that provide context-awareness. Evolutionary-based fuzzers use genetic algorithms to generate mutations in the input data while the fuzzer is learning about the input format, which as a result maximizes code coverage. The functionality of a fuzzer can be split across different layers and implementations of the targeted system: Application fuzzing targets the system’s input and output components, such as the UI, command- line options, forms or user-generated content. Protocol fuzzing sends forged packets to the application or acts as a proxy to modify and replay requests on-the-fly. File format fuzzing targets the parsing layer, file structure, and the encoding mechanism. Fuzzing consists of three different phases that the fuzzer must go through: 1st phase generation of random or malformed data (attack vector) to be sent as input to the target application 2nd phase delivery of the generated data to the target’s entry point 3rd phase inspection of the impact on the target to determine if the attack was successful Engagement in application security testing using fuzzing is usually performed prior to the application’s production release, with the purpose of ensuring the quality of the application’s runtime behavior in unmet and unassumed scenarios. A fuzzing test is considered successful if the fuzzer can accurately determine if the attack vector that was introduced to the target application was indeed able to disrupt the stability of the application. +1 (0) 917 905 9707 FOOTER +44 (0) 20 8050 3278 /+44 (0) 20 8050 DAST www.neuralegion.com [email protected] Meet The world's first AI-powered fuzzing solution NeuraLegion’s NexFuzz is the world’s first self-evolving, Standard fuzzers are very good to implement and adaptive-learning fuzzing solution which utilizes an require extensive security training and expertise in engine that learns from the interactions with the order to enable efficient engagement in application target endpoint, builds its database of knowledge, and security testing. Fuzzing with NexFuzz starts directly adapts its scanning techniques as the scan is running. from a web browser with the initial recording of NexFuzz applies evolution strategies and reinforcement interactions with the application to create an HTTP learning to extensively analyze the response, business Archive (HAR) file. The engine uses the HAR file to logic flow of the application and the context of a given detect application entry points and business logic flows attack surface, breaking the assumed scope of the that are to be scanned for vulnerabilities. Recording target and reporting vulnerabilities that are invisible of the HAR files can be automated using web browser to other, unintelligent fuzzing tools. automation tools providing additional convenience to the process of target endpoint inspection. Thanks to the exploratory engine’s ability to validate exploitation of the vulnerability with a reproducible NexFuzz integrates application security testing proof-of-concept each vulnerability that NexFuzz with SDLC tools such as: Jenkins, CircleCI, TravisCI, identifies is reported with no false positives. This saves GitHub amongst others, to provide fully automated an enormous amount of time that is required for an fuzzing that fits into the software development life effective analysis of the vulnerabilities and the severity cycle, empowering development environments with of the impact that could harm the environment if a effortless security testing, vulnerability analysis, and vulnerability is exploited. accurate real-time vulnerability reporting. SUCCESS STORY NexFuzz was used to scan Google’s PageSpeed inserted data. Insights, a service that analyzes the content This attack vector had caused an endless loop of web pages to generate suggestions for of unsuccessful attempts of the application to performance optimization. go over the data storage in order to remove the The NexFuzz engine managed to craft special unwanted data. URLs that were injected as malformed input to The CPU utilization had also spiked and the disk the application, causing an application failure was filled with erroneous data, causing denial by making it unable to read or understand the of service. +1 (0) 917 905 9707 FOOTER +44 (0) 20 8050 3278 /+44 (0) 20 8050 DAST www.neuralegion.com [email protected] About zero-day vulnerabilities A zero-day vulnerability is a term that describes a software security flaw that is unknown to, or unaddressed, by those who are responsible for disclosing and remediating it. The exploitation of a zero-day vulnerability has a severe impact on the environment where the vulnerable asset is contained. In 2018, 76% of notable cybercrimes were committed by the exploitation of zero-day vulnerabilities. In light of this very concerning fact, organizations are now searching for new solutions that will enable them to break the limits of vulnerability scanning coverage to mine and expose unknown, zero-day vulnerabilities before the malicious adversaries do. 24% OTHER VULNERABILITIES 76% ZERO DAY VULNERABILITIES Gartner’s AST market predictions By 2019, more than 50% of enterprise DevOps initiatives will have incorporated application security testing (AST) for custom code, an increase from fewer than 10% today By 2020, 10% of penetration tests will be conducted by machine learning-based smart machines, up from 0% in 2016 By 2021, at least one company will publicly acknowledge a $1 billion revenue impact from a business outage resulting from a malware/ransomware attack Source: PonemonInstitute’s 2018 State of Endpoint Security Risk report Lead security experts agree that Machine Learning powered security tools will become a cornerstone of good practices of cyber and information security with an ability to harden security environments. Don’t stay behind of malicious attackers, use AI in your security today! +1 (0) 917 905 9707 FOOTER +44 (0) 20 8050 3278 /+44 (0) 20 8050 DAST www.neuralegion.com [email protected] SUMMARY As a security testing technique that ensures the runtime stability of an application, fuzzing is heavily utilized in the latter stages of a software development life cycle, after the application is packaged and prepared for production release. Although fuzzing is based on a simple idea in nature - insert bad data into an application and see if anything will crash – a fuzzing test exposes security risks that are often unforeseen, and therefore has tremendous value. Standard fuzzing solutions are unable to adapt to each unique scenario in order to learn about the business logic flow of the application and the context of the attack surface. Along with the fact that a typical fuzzer requires high technical and operational effort, and the additional security expertise, the traditional, unintelligent fuzzers prove themselves highly inefficient to utilize. NeuraLegion’s NexFuzz leverages automation and AI-powered fuzzing, breaking the limits of the current fuzzing technologies, offering unparalleled detection of zero-day vulnerabilities, as well as validated reports and reproducible proofs-of-concept, with no false positives. +1 (0) 917 905 9707 FOOTER +44 (0) 20 8050 3278 /+44 (0) 20 8050 DAST www.neuralegion.com [email protected].