How to qualify good initial targets to fuzz with Mayhem

Welcome to our Mayhem Tips and Tricks series! Our goal is to help you learn about the best features of Mayhem in small bite-size chunks. Today, we will explain how you can qualify good initial targets to fuzz with Mayhem.

So you’re ready to fuzz, but not sure if your target is the right fit? Look no further! Not all targets are created equal, and some might be easier to fuzz than others. Below are a few considerations to keep in mind when selecting and evaluating your first targets.

Security Testing Pipelines:
If you’re in DevOps/DevSecOps and you’re fuzzing your organization’s own codebases, then some of the easiest applications to start fuzzing are applications that are already in your existing build/test pipelines. These codebases usually have a number of other security checks being run on them already - meaning that a lot of the usual limitations when it comes to testing applications have already been addressed. These are typically important or critical applications, under source control, with significant dependency management or containerization already in place. While there are always outliers, in general your test pipelines are a great place to start looking for targets to fuzz. Plus, when you do finally move from manual fuzzing to automated fuzzing, the infrastructure is already in place.

Containerized Applications:
If the application isn’t already in a testing pipeline, containerization makes it very easy to do so. Barring a few language limitations (Mayhem supports C/C++, Rust, Go, Java, Ada, and Python), an already containerized target likely doesn’t need much done to it to start fuzzing, which makes it a great candidate for both DevSecOps and third-party pen-testers alike. Plus, Mayhem supports Dockerfile ingest, meaning that you can manage your own registry and kick off containerized runs directly from the Mayhem UI.

Reading Input:
A target is a great candidate for Mayhem if, unchanged, its default behavior is to read from a file or other input. This allows you to very easily specify corpora and fuzz the target without any changes. Mayhem supports targets that read from STDIN, files, TCP, UDP, and Unix domain sockets. If it’s not that simple for your target, Mayhem will likely still be able to fuzz it, it just might require a bit of additional configuration first.

Another consideration should be the importance that the application has for your organization. In general, it’s wise to focus on critical or user-facing applications first. While it might be easier to stand-up a test application or placeholder, it ultimately provides little value and doesn’t accurately represent the effort needed to fuzz real-world applications. For pen-testers, you likely have less say in this matter as it will depend on what the client wants you to test.

Application Size:
Since Mayhem works by repeatedly running the target on a newly generated input, fuzzing works best on targets that execute quickly. Consider selecting targets that are fairly small in memory footprint and size, as this will result in a quicker execution time and faster result generation.

Below you can find a simple flow chart that can help you evaluate how quickly you can get your target up and running with Mayhem, or if you need to make a couple of modifications first:

target-evaluation-flowchart.jpg\ 500x282

We hope that you found this Tips and Tricks article helpful.