How to Set Up a Web Application Project for Fuzzing
Download an Example Project
Setting up fuzzing for Spring Boot applications is even easier than fuzzing C++ or Plain Java code. First you have to start the CI-Daemon. Open a new terminal and start it with:
Running the CI-daemon as root is not recommended since it can lead to problems when VS Code tries to connect to it. Furthermore, it is a good security practice to run software with the least privilege.
In this tutorial, we are going to use WebGoat. WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. It is a demonstration of common server-side application flaws.
Download it via git:
$ git clone https://github.com/WebGoat/WebGoat.git
While having the source code is not strictly necessary for fuzzing (a running application is enough), it will make the process easier, and so we will be able to view which lines in the code were executed during fuzzing (line coverage).
Creating the project
To set up fuzzing for Web Applications with CI Fuzz, open the project in VS Code.
If you have our extension installed, you can start it with clicking on our logo in the left sidebar. This will lead you from VS Code’s file browser sidebar to our CI Fuzz sidebar:
From here you can create the Fuzzing Project with a click on “Create Fuzzing Project”
If you want to fuzz http requests (recommended where possible), you can use out of process fuzzing and start your software under test separately. A quick setup is possible by selecting "Setup project for web application fuzzing". This will create a project without a docker image and without a build script, neither of which are needed for out of process fuzzing.
If you also want to fuzz Java API methods directly in the same project, leave it unselected and follow the steps in Java API fuzzing documentation. A project created for Java API fuzzing can also be used for out of process fuzzing of web applications.
Read next: Connecting Web Applications