Creating a Web Application Fuzz Test

To create a fuzz test for a Spring Boot application, go to the sidebar menu in the dashboard and click on the “Add Fuzz Test” button.

Add Fuzz Test

From the list, choose create a Web App Fuzz Test.

After selecting it, you will be forwarded to the second step, where you can name the new fuzz test and specify which web services you want to test. In the case of Webgoat, we only have one.

By default, the automatically generated fuzz test will test all the endpoints detected during the analysis phase, which runs in the beginning of fuzzing. For springboot applications, this analysis will usually work out of the box. If you are not using springboot, please see Application Analysis for more info.

Click save, then run. After a few seconds, the status of the fuzz test should be running:

Run a Fuzz Test

This assumes that your application is running on http://127.0.0.1:8080. If this is not the case, open the configuration file of your fuzz test in .code_intelligence/fuzz_targets:

application running a fuzz test

Uncomment base_url and adjust it accordingly, then run the fuzz test.

After a few minutes, click on the fuzzing run:

fuzzing metrics

3 unique corpus inputs mean 3 unique code execution paths in the application. This is a very low number. It happened because the application rejects most requests, as they are not authenticated.

Initial Requests

If your web application uses authentication, you can configure CI Fuzz to authenticate before it starts fuzzing. You can do this by defining the requests that have to be made to successfully log in to the application. Check different options to do this.

Here we can add a request to register a user and a login request, one below the other (Content-Length must be correct). Both will be sent before fuzzing starts, so we don't have to rely on the user already existing or not existing. Any cookie that the fuzzer receives in response will be then used during fuzzing.

Now we can run fuzzing again.

improved fuzzing metrics

That's better!

For other authentication methods, see configure-http-headers.

Seed Requests

During the initialization, CI Fuzz scanned all the endpoints that your application offers. This scan allows us to identify the types of requests that are expected at every endpoint. This allows us to craft valid requests against the application's endpoints and fuzz only interesting parts of the requests (e.g., only parameter values, not parameter names). This smart fuzzing approach allows you to reach code deep inside your application's business logic. In case you want to modify or add new requests, you can modify the request templates (method, URI, headers, and body) for the selected fuzz test.

These can be found in .code_intelligence/<your fuzz test name>_seed_corpus directory.

set seed request for fuzzing

The Host: header is ignored by CI Fuzz, but you can adjust it to test the requests by sending them, if you install the REST Client VS Code Extension.