What is Fuzzer in Reverse Engginering

FUZZER IN REVERSE ENGINERRING

fuzzer is to test for the existence of vulnerabilities that areaccessible via input in software applications. Hence, a fuzzer must generate test datawhich should, to some degree, enumerate the target input space which can then bepassed to the target application input.Test data can either be generated in its entirety prior to testing.

Who Might Use Fuzzing ???

Anyone who has access to an application can fuzz it. Access to the source code is not required. Compared to other vulnerability discovery methodologies, very little expertise is required (at least to identify basic defects). Additionally, implementation is comparatively fast - an experienced user of fuzzers can, in some cases, initiate fuzzing an application in a matter of minutes. As a result of the comparatively low barrier to entry in terms of investment of time, understanding of the application and software in general, and access to thesource code, a number of different parties may benefit from fuzzing.

The Legality of Fuzz Testing

In general, black box security testing is not illegal, since most anti-reverse engineeringlaw is based on forbidding unwarranted examination of intellectual property, usuallyachieved via disassembly and reverse engineering of internal functioning. Since blackbox testing is merely concerned with input/output analysis, it might be argued thatit does not break user licensing agreements, or intellectual property law since thereis no attempt to understand the business logic of the application.

That said, since the objective of black box testing is to discover application failurestates, some of which may be exploitable, it could also be argued that the legality of such testing depends on the motivation of the tester and the actions taken after vulnerabilities are discovered. In this interpretation, the action the tester takes afterdiscovery of a vulnerability is critical to determining their legal position. There is amoral and legal imperative to act responsibly with information regarding vulnerabili-ties, and anyone undertaking any form of software security testing should be preparedto justify their actions or risk prosecution.