Google Home-Brews Powerful Automatic Scanning Fuzzer

By Lisa Vaas  |  Posted 2007-07-18 Print this article Print

Updated: Google's security team is home-brewing a powerful combination scanner and fuzzing tool.

Googles security team is home-brewing a powerful combination scanner and fuzzing tool that experts say will be unique outside of the commercial domain. In a posting on the Google security teams blog, Srinath Anantharaju said on July 16 that the security team has been working on a black-box fuzzing tool called Lemon, in the spirit of the word as its used to denote defective products. Fuzz testing, or fuzzing, is a black-box software testing technique in which malformed data is injected automatically to find implementation bugs in code. In particular, Google is targeting XSS (cross-site scripting) bugs, according to Anantharaju.
As it is, there are numerous open-source fuzzing tools. OWASP (the Open Web Application Security Project) supplies three fuzzers and also hosts links to dozens more, for example.
But Lemon more closely resembles a commercial product in that it not only fuzzes applications but scans them as well. "[Lemon is] not just doing fuzzing through fault injection," as do other open-source fuzzers, said Danny Allan, director of security research for Web application security software and services firm Watchfire. "[Google] also created a scanner, so [the tool] understands input, and [theyre] fuzzing on top of it. That doesnt exist in the open-source domain. However, thats what commercial tools, including Watchfires, already do." Open-source fuzzers, in fact, can be automated to do "weak" crawling, Allan said, but the combination of the two is "very weak" in open-source fuzz tools now available, he said. "You have to manually point to a particular parameter you want to fuzz. … It looks like theyve taken it to the next step." Used by an organization to find its own security holes, fuzzing is a useful tool, Allan said. But in the hands of an attacker, a fuzzer can become a weapon. "What theyre building, theyre looking for XSS [flaws]," which is a laudatory goal, Allan said—Watchfire itself has found a few XSS bugs in Google Desktop. "All [XSS bugs] are vulnerabilities. Used by an organization on themselves, thats a very useful tool. But if Im a malicious individual, I use it to find vulnerabilities on someone else." Scanning and fuzzing in particular is a very powerful combination that, when put into the hands of attackers, could facilitate attacks, he said; the scanner/fuzzer combo doesnt just spew malicious code arbitrarily—it also knows where to spew it. Click here to read about the development of fuzzer technology for ActiveX. But that is exactly what Google is working on. According to Anantharaju, Googles testing tool goes beyond a typical fuzz tester, which supplies inputs designed to trigger and expose flaws in an application. Lemon also enumerates an applications URLs and corresponding input parameters and then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, analyzing the resulting responses to dig out the bugs. "Although it started out as an experimental tool, it has proved to be quite effective in finding XSS problems," Anantharaju said. Next Page: Tracking down security flaws.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel