In keeping with our new tradition of crowdsourcing pen testing tool list topics (like this cloud pen testing list), we again put out our feelers on Twitter, Reddit, and LinkedIn to see what our next blog should be. Although this competition was a close one, it became clear that a blog post on fuzzing tools was the winner. So without any further ado, let’s get to the good stuff.
We’ll launch another poll very soon! Please vote when you see it.
Creator: The LLVM Project
Why We Like It: LibFuzzer offers the user coverage-guided fuzzing and provides immediate support for address sanitizers. It’s important to note that LibFuzzer needs to be integrated into an application or library in order for it to work. And if you’re performing black-box testing out of the box, LibFuzzer won’t be the fuzzer for the job.
Check out CVE-2017-3732, which was discovered using LibFuzzer. And watch a video of the fuzzer in action below!
Creator: Michał Zalewski (@lcamtuf)
Why We Like It: AFL is another classic fuzzer – we couldn’t not include this popular tool. It’s been used to identify many well-known security bugs; you can see a comprehensive list here. According to creator Michal Zalewski, this fuzzer was specifically designed to be a tool for practical use, and its ease of use directly correlates with its popularity.
Creator: Google
Why We Like It: Although somewhat similar to AFL, this fuzzer is still worth exploring due to its speed, capability, and versatility. And its CV is impressive; as Google states, “The only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz.” Read about that particular security issue here.
Creator: Joshua Pereyda
Why We Like It: Boofuzz was built with one goal, and that was to “fuzz everything.” It’s the descendant of the Sully fuzzing framework, but boofuzz was designed as a new-and-improved version of Sully (you might actually recognize Sully and Boo as characters from the Disney film, “Monsters Inc.”) Its enhancements include an easier install experience, fewer bugs, and better recording of test data.
Creator: ffuf
Why We Like It: FFUF’s strength is its “blazing fast speed.” Although it only does web fuzzing, if you need a fuzzer to work quickly, this is the tool for you! Also, fun fact: FFUF stands for “fuzz faster you fool.”
Creator: Secure Mobile Networking Lab
Why We Like It: ToothPicker is a fuzzer designed for fuzzing iOS environments. The creators of this fuzzer successfully used it to detect a zero-click RCE bug in iOS (fixed in iOS 13.5). That alone speaks to its prowess. Additionally, you can adapt ToothPicker to target any platform running FRIDA.
Watch this presentation by Dennis Heinze to get a closer look at ToothPicker:
Creator: Nathan Voss/Battelle
Why We Like It: In short, this fuzzer is a “Unicorn mode” for AFL. This fuzzer requires emulating your code via Unicorn Engine, which is a multi-platform, multi-architecture CPU emulator framework. If you can emulate your code with Unicorn Engine, you can fuzz it with afl-unicorn. As creator Nathan Voss writes in “afl-unicorn Part 2: Fuzzing the Unfuzzable,” “Afl-unicorn bridges the gap between the thoroughness of fully manual research (i.e. reading disassembly/source) and the unmatched ease-of-use of AFL.”
Creator: Google (again)
Why We Like It: It’s not the only Python-centric fuzzer out there (see PythonFuzz for example), but this coverage-guided Python fuzzing engine is one of the more powerful ones available. Google advises using Atheris in tandem with Address Sanitizer or Undefined Behavior Sanitizer when fuzzing native code as to detect additional security issues. Curious to see an example of a high-severity bug found with this fuzzer? Go here.
Creator: Code Intelligence
Why We Like It: It’s fitting to close with another potent fuzzer. CI Fuzz totes its ability to merge the best of testing methods Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Interactive Application Security Testing (IAST). Allegedly, this makes CI Fuzz a powerful way to find deep-rooted vulnerabilities and reduce false positives in the process. But don’t just take their word for it; take a look at this impressive list of CVEs found with CI Fuzz! (Note: This fuzzer is actually a paid product, as opposed to other entries on our list.)
Can’t get enough fuzzing in your life? We compiled some additional resources below, including a few from Bishop Fox’s Matt Keeley.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.