How to Set Up a Web Application Project for Fuzzing
This guide describes the following workflow:
- Setup a web app fuzzing project using the CI Fuzz local installation on your computer.
- Run fuzzing locally, improve your fuzz tests, debug and fix findings
- Push the fuzzing project in a git repository
- Setup the fuzzing project on a CI Fuzz server, using the CI Fuzz Web Interface
This approach is great if you already have a way to run your web application locally and you want to start experimenting with your fuzz tests quickly.
It is also possible to skip the local installation altogether and use only the CI Fuzz server and an online Git repository. This approach is requires less time and effort to go from zero to integrating fuzzing in CI/CD. It is described here.
Download an Example Project
Setting up fuzzing for Spring Boot applications is even easier than fuzzing C++ or Plain JVM-Based code. First, you have to start the CI-Daemon. Open a new terminal and start it with:
Running the CI-daemon as root is not recommended since it can lead to problems when VS Code tries to connect to it. Furthermore, it is a good security practice to run software with the least privilege.
In this tutorial, we are going to use WebGoat. WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. It is a demonstration of common server-side application flaws.
Download it via git:
$ git clone https://github.com/WebGoat/WebGoat.git
While having the source code is not strictly necessary for fuzzing (a running application is enough), it will make the process easier, and so we will be able to view which lines in the code were executed during fuzzing (line coverage).
Creating the project
To set up fuzzing for Web Applications with CI Fuzz, open the project in VS Code.
If you have our extension installed, you can start it with clicking on our logo in the left sidebar. This will lead you from VS Code’s file browser sidebar to our CI Fuzz sidebar:
From here you can create the Fuzzing Project with a click on “Create Fuzzing Project”
If you want to fuzz http requests (recommended where possible), you can use out of process fuzzing and start your software under test separately. A quick setup is possible by selecting "Setup project for web application fuzzing". This will create a project without a docker image and without a build script, neither of which are needed for out of process fuzzing.
If you also want to fuzz Java API methods directly in the same project, leave it unselected and follow the steps in Java API fuzzing documentation. A project created for Java API fuzzing can also be used for out of process fuzzing of web applications.
Read next: Connecting Web Applications