Programming Books C Java PHP Python Learn more Browse Programming Books
Fuzzing: Brute Force Vulnerability Discovery and over one million other books are available for Amazon Kindle. Learn more
Buy New
$40.88
Qty:1
  • List Price: $59.99
  • Save: $19.11 (32%)
Only 13 left in stock (more on the way).
Ships from and sold by Amazon.com.
Gift-wrap available.
Sell yours for a Gift Card
We'll buy it for $12.78
Learn More
Trade in now
Have one to sell? Sell on Amazon
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Fuzzing: Brute Force Vulnerability Discovery Paperback – July 9, 2007

ISBN-13: 978-0321446114 ISBN-10: 0321446119 Edition: 1st

Buy New
Price: $40.88
24 New from $33.37 17 Used from $24.99
Amazon Price New from Used from
Kindle
"Please retry"
Paperback
"Please retry"
$40.88
$33.37 $24.99
Free Two-Day Shipping for College Students with Amazon Student Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student


Frequently Bought Together

Fuzzing: Brute Force Vulnerability Discovery + The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities + A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security
Price for all three: $122.39

Buy the selected items together
NO_CONTENT_IN_FEATURE

Shop the new tech.book(store)
New! Introducing the tech.book(store), a hub for Software Developers and Architects, Networking Administrators, TPMs, and other technology professionals to find highly-rated and highly-relevant career resources. Shop books on programming and big data, or read this week's blog posts by authors and thought-leaders in the tech industry. > Shop now

Product Details

  • Paperback: 576 pages
  • Publisher: Addison-Wesley Professional; 1 edition (July 9, 2007)
  • Language: English
  • ISBN-10: 0321446119
  • ISBN-13: 978-0321446114
  • Product Dimensions: 7 x 1.3 x 9 inches
  • Shipping Weight: 1.6 pounds (View shipping rates and policies)
  • Average Customer Review: 4.2 out of 5 stars  See all reviews (4 customer reviews)
  • Amazon Best Sellers Rank: #741,745 in Books (See Top 100 in Books)

Editorial Reviews

About the Author

M ICHAEL S UTTON

Michael Sutton is the Security Evangelist for SPI Dynamics. As Security Evangelist, Michael is responsible for identifying, researching, and presenting on emerging issues in the web application security industry. He is a frequent speaker at major information security conferences, has authored numerous articles, and is regularly quoted in the media on various information security topics.Michael is also a member of the Web Application Security Consortium (WASC), where he is project lead for the Web Application Security Statistics project.

Prior to joining SPI Dynamics,Michael was a Director for iDefense/VeriSign, where he headed iDefense Labs, a team of world class researchers tasked with discovering and researching security vulnerabilities.Michael also established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He holds degrees from the University of Alberta and The George Washington University. Michael is a proud Canadian who understands that hockey is a religion and not a sport. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department.

 

A DAM G REENE

Adam Greene is an engineer for a large financial news company based in New York City. Previously, he served as an engineer for iDefense, an intelligence company located in Reston, VA. His interests in computer security lie mainly in reliable exploitation methods, fuzzing, and UNIX-based system auditing and exploit development.

 

P EDRAM A MINI

Pedram Amini currently leads the security research and product security assessment team at TippingPoint. Previously, he was the assistant director and one of the founding members of iDefense Labs. Despite the fancy titles, he spends much of his time in the shoes of a reverse engineer–developing automation tools, plug-ins, and scripts. His most recent projects (a.k.a. “babies”) include the PaiMei reverse engineering framework and the Sulley fuzzing framework.

In conjunction with his passion, Pedram launched OpenRCE.org, a community website dedicated to the art and science of reverse engineering. He has presented at RECon, BlackHat, DefCon, ShmooCon, and ToorCon and taught numerous sold out reverse engineering courses. Pedram holds a computer science degree from Tulane University.

 

Excerpt. © Reprinted by permission. All rights reserved.

Preface

Preface

"I know the human being and fish can coexist peacefully."
- George W. Bush, Saginaw, Mich., Sept. 29, 2000

Introduction

The concept of fuzzing has been around for almost two decades but has only recently captured widespread attention. In 2006, we saw a plague of new vulnerabilities emerge that affected popular client-side applications including Microsoft Internet Explorer, Microsoft Word and Microsoft Excel; a large portion of these vulnerabilities were discovered through fuzzing. As a result of fuzzing being used so successfully on these mainstream products, it has received a resurgence of attention from the security community. The sheer fact that this is the first published book dedicated to the subject matter is an additional indicator that there is an increasing interest in fuzzing.

Having been involved in the vulnerability research community for years, we have used a variety of fuzzing technologies in our day to day work, ranging from hobby projects to high end commercial products. Each of the authors has been involved in the development of both privately held and publicly released fuzzers. We leveraged our combined experience and ongoing research projects to compose this bleeding edge book, which we hope you will find useful.

Intended Audience

We strongly believe that the quantity and severity of vulnerabilities will continue to grow so long as security is deemed to be the sole responsibility of a security team. As such, we have taken strong efforts to write for a larger audience than just security researchers, including both readers who are new to fuzzing and those who have already had significant experience.

It is unrealistic to believe that secure applications can emerge from the development process if development organizations simply hand completed applications to a security team for a quick audit prior to production launch. Gone are the days when a developer or a member of the QA Team can say, "security's not my problem – we have a security team that worries about that". Security must now be everyone's problem. Security must be baked into the software development lifecycle (SDLC), not brushed on at the end.

Asking the development and QA teams to focus on security can be a tall order, especially for those that have not been asked to do so in the past. We believe that fuzzing presents a unique vulnerability discovery methodology that is accessible to a wide audience due to the fact that it can be highly automated. While we are hopeful that seasoned security researchers will gain valuable insights from this book, we are equally hopeful that it will be accessible to developers and QA teams. Fuzzing can and should be an integral part of any SDLC, not just at the testing phase, but also during development. The earlier a defect can be identified, the less costly it will be to remediate.

Prerequisites

Fuzzing is a vast subject. While we cover many non-fuzzing specific basics throughout the book, a number of assumptions regarding prior knowledge have been made. Readers should have at least a basic understanding of programming and computer networking prior to taking on this book. Fuzzing is all about automating security testing so naturally much of the book is dedicated to building tools. We have purposely selected multiple programming languages for these tasks. Languages were selected according to the task at hand but this also demonstrates that fuzzing can be approached in numerous ways. It is certainly not necessary to have a background in all of the languages used but having a language or two under your belt will go a long way in helping you to get the most from these chapters.

We detail numerous vulnerabilities throughout the book and discuss how they might have been identified through fuzzing. However, it is not our goal to define or dissect the nature of the vulnerabilities themselves. Many excellent books have been written which are dedicated to this topic. If you are looking for a primer on software vulnerabilities, "Exploiting Software" by Greg Hoglund and Gary McGraw, books from the Hacking Exposed series and "The Shellcoder's Handbook" by Jack Koliol, David Litchfield, et al. are great references.

Approach

How to best leverage this book is dependent upon your background and intentions. If you are new to fuzzing, we would recommend digesting the book in a sequential manner as it has been intentionally laid out to provide necessary background information prior to moving onto more advanced topics. If however, you've already spent time using various fuzzing tools, don't be afraid to dive directly into topics of interest as the various logical sections and chapter groupings are largely independent of one another.

Part I is designed to set the stage for the specific types of fuzzing that are discussed in the remainder of the book. If you're new to the world of fuzzing, consider this to be required reading. Fuzzing can be used as a vulnerability discovery methodology for just about any target, but all approaches follow the same basic principles. In Part I we seek to define fuzzing as a vulnerability discovery methodology and detail the knowledge that will be required regardless of the type of fuzzing which is conducted.

Part II focuses on fuzzing specific classes of targets. Each target is divided across two or three chapters. The first chapter provides background information specific to the target class and the subsequent chapters focus on automation, detailing the construction of fuzzers for that particular target. Two automation chapters are provided when separate tools are deemed necessary for the Windows and UNIX platforms. For example, consider the chapter triplet on "File Format Fuzzing" starting with Chapter 11 which details background information related to fuzzing file parsers. Chapter 12, "File Format Fuzzing: Automation on UNIX" details the actual programming of a UNIX-based file fuzzer and Chapter 13, "File Format Fuzzing: Automation on Windows" details the construction of a file format fuzzer designed to run in the Windows environment.

Part III tackles advanced topics in fuzzing. For readers who already have a strong knowledge of fuzzing it may be appropriate to jump directly into Part III, while most readers will likely want to spend time in Parts I and II before moving onto these topics. In Part III we focus on emerging technologies that are just beginning to be implemented but will become critical for advanced vulnerability discovery tools that leverage fuzzing in the future.

Finally, in Part IV we reflect on what we've learned throughout the book and then peer into the crystal ball to see where we're headed in the future. While fuzzing is not a new concept, it still has plenty of room to grow and we hope that this book will inspire further research in this space.

A Touch of Humor

Writing a book is serious work, especially a book on a complex subject like fuzzing. That said, we like to have fun as much as the next person (actually probably significantly more than the average person) and have made our best effort to keep the writing entertaining. In that spirit, we decided to open each chapter with a brief quotation from the 43rd President of the United States, George W. Bush (aka Dubya). No matter what your political affiliation or beliefs may be, no one can argue that Mr. Bush has cooked up many entertaining quotes over the years, enough to fill entire calendars1 even! We've compiled some of our favorites to share with you and hope you find them as funny as we do. As you'll see throughout the book, fuzzing can be applied against a variety of targets, evidently even the English language.

About the Cover

Vulnerabilities have at times been referred to as "fish", for example see the thread on "The L Word & Fish"2 from the DailyDave security mailing list. This is a useful analogy that can be applied across the...


More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

4.2 out of 5 stars
5 star
1
4 star
3
3 star
0
2 star
0
1 star
0
See all 4 customer reviews
Share your thoughts with other customers

Most Helpful Customer Reviews

18 of 19 people found the following review helpful By Chris Gates on July 29, 2007
Format: Paperback
I anxiously awaited reading and putting this book to use. Fuzzing is one of those "mystical" concepts that the people cranking out exploits were doing and I wanted to be able to use some of the publicly available fuzzers to fuzz for vulnerabilities and join the ranks.

From the back cover: "...Now, its your turn. In this book, renowned fuzzing experts show you how to use fuzzing to reveal weaknesses in your software before someone else does."

I thought the book excellently covered the theory portions of fuzzing. The format of theory/background of a fuzzing method (Environment Variable and Argument Fuzzing, Web Application and Server fuzzing, File Format Fuzzing, Network Protocol Fuzzing, Web Browser Fuzzing, and In-Memory Fuzzing) followed with that fuzzing method Automation or on Unix and then on Windows worked perfectly. It was a good structure and informative. The Automation or Unix and Windows sections fit in well with the theory sections before it.

I think the book falls a bit short on practical execution (case studies) of using the fuzzing tools. Granted I say this based on my own expectations of what I would like to see from a fuzzing book but also from what the authors say in the preface that we will get out of the book. They say, "We detail numerous vulnerabilities throughout the book and discuss how they might have been identifies through fuzzing." Some of the case studies are exactly what I expected like case studies in Chapter 10, the fuzzing with SPIKE section in Chapter 15, and the Complete Walkthru with Sulley in Chapter 21. Some of the others fall a bit short.
Read more ›
1 Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
5 of 5 people found the following review helpful By Kristy M. Westphal on February 18, 2008
Format: Paperback
Perhaps a more appropriate title would be: "Fuzzing for Dummies" or "Fuzzing 101"- but I mean this in a really good way. Why I say this is because of how the book is set up, starting with the background history of fuzzing, and many variations of what fuzzing really is. These are excellent so those who may not have this background don't jump in blindly to this area. For example, Chapter 3 goes into the Fuzzing Methods and Chapter 4 discusses Data Representation. While not lengthy discussions, they are good to set up for the actual doing part in the rest of the book

I liked that the book starts out with what fuzzing is good for, the steps that you have to take for it to be successful, and what fuzzing is not good at. It explains how vectors like access control issues, and design flaws fit into this category. Knowing this up front saves a lot of head banging later on down the road. It's also good that the authors point out that they are merely defining fuzzing in their specific realm: talk to others and you are going to find a whole different explanation. This is OK though- most of the security industry is like that.

Part II of the book starts to get into the heart of things, discussing the components required for fuzzing, more details into the tool they built called "WebFuzz" and then dive into the tests themselves. The author's openness in telling us what they did, then how it works, then tell you all the things to make it better makes this book even more valuable. Good efforts to share useful things and make them a community effort with proper guidance are never a bad thing. Plus, if you are interested in helping, this guidance gives you somewhere to start.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
3 of 4 people found the following review helpful By PorcusFortunae on December 11, 2008
Format: Paperback Verified Purchase
I loved the layout of the book, with explanations, practical applications, and (mostly) working examples. There were two things I didn't like about the book. First, not all the examples worked. Specifically, the Protocol Informatics (PI) example will not run on any machine I have. When I searched for a solution, it led me to the second thing I don't like about the book: it appears the authors cribbed their section on PI from PI's own documentation. It's clear they didn't even try to run it on their own. It makes me question whether they really understand it; if not, why are they writing about it in their book? I also wonder what else they cribbed. I also wish they'd update the book's website more, as much as they refer to it in the text.

All that aside, I really did enjoy and appreciate the book as a whole, and it certainly gave me a great foundational knowledge of fuzzing.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
6 of 14 people found the following review helpful By Justine Aitel on August 29, 2007
Format: Paperback
In this book the authors do a number of things that are worth reading:
o Document how and why SPIKE works (and implement their own block-based fuzzer sulley)
o Go through the process of writing a .flv fuzzer
o Go through the process of writing a Python ActiveX fuzzer, which was probably my favorite part.
o Talk about the downsides of various kinds of fuzzing. For example, when is fuzzing with a genetic algorithm not the right thing to do?

That alone made this a great book.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again