The Test Manager will ensure fuzz testing is included in the test plans and procedures and performed for each application release based on application exposure.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16831 | APP5100 | SV-17831r1_rule | DCSQ-1 | Low |
| Description |
|---|
| Fuzzing or fuzz testing is where the application is provided invalid, unexpected, or random data. Poorly designed and coded applications will become unstable or crash altogether. Properly designed and coded applications will reject improper data and remain stable. Fuzz testing can quickly and simply uncover coding errors which is why it is popular with hackers. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2013-07-16 |
Details
| Check Text ( C-17830r1_chk ) |
|---|
| Fuzz testing or fuzzing is a software testing technique that provides unexpected or random data called fuzz to the inputs of an application to discover vulnerabilities. Automated fuzz testing tools or fuzzers identify vulnerabilities and indicate potential causes. This information is often used by malicious hackers to help in determining methods to attack a target system. Fuzzers can sometimes help identify buffer overflows, cross-site scripting, denial of service format bugs and SQL injection attacks. The following website provides an overview of fuzz testing and examples: http://www.owasp.org/index.php/Fuzzing Ask the application representative to provide test procedures and results to ensure they are updated to include fuzz testing procedures. 1) If these test procedures and results do not include fuzz testing, it is a finding. |
| Fix Text (F-17148r1_fix) |
|---|
| Perform fuzz testing. |