"The Codenomicon tools are amazing. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code
We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would never have found those bugs without the Codenomicon tools.
If you're serious about implementing protocols correctly, you need the Codenomicon tools."
-- Jeremy Allison,
Co Creator of Samba
Codenomicon offers fuzz testins solutions for application testing. If an application communicates with the outside world in one way or another, it can be fuzzed. It is just a question of finding out what the application does, what kind of input it consumes and how it communicates with the outside world. All that is needed for fuzzing the application is an external communication interface!
Are you developing web applications?
- Take a look at our web application page here or
- download our article on web application fuzzing article, published in Test Magazine April 2012 issue.
Fuzz it like you mean it - Fuzz-o-matic
Codenomicon's Fuzz-o-Matic offers application fuzz testing as a service (TaaS). Fuzz anywhere, early on in the development process, get only relevant results and remediate on time. Access your test results through your browser anywhere!
Testing as a Service essentially means that you upload the files you want tested and get the results. You don't need to know how to use any tools other than a web browser. Security testing has never been easier!
Read more about Fuzz-o-matic.
Web application test suite
To respond to the growing need for web application testing tools, Codenomicon releases new Defensics Web Application Test Suite made specifically for testing web applications. Web Application Test Suite supports multiple formats over HTTP: HTML, URL encoded POSTs, JSON and multipart mime. It does not replace HTTP Server Suite, but complements it. Use HTTP Server Suite to tests HTTP server and Web Application Test Suite to ensure the robustness of the web application running behind the HTTP server.
With Defensics Web Application Test Suite it is possible to proactively find and fix the web application vulnerabilities, improve the robustness and prevent the problems.
Websocket protocol test suite
The Websocket Protocol is a new technology that will improve and simplify the real-time communication between browsers and web servers. It provides a bidirectional communication mechanism over a single TCP connection.
The problem with new technologies is that they typically have lots of unknown vulnerabilities. More mature technologies have had loads of people using them for years, finding and reporting the problems - new technologies do not have this advantage. To ensure robust inmplementations, it is essential to test the new technologies for vulnerabilities.
Codenomicon WebSocket Server Test Suite can be used for testing WebSocket server for both protocol implementation and the payload which goes over WebSocket. For testing protocol implementation, the suite has test cases for different types of WebSocket messaging such as WebSocket Handshake, data frame and control frames. WebSocket payload is service specific, therefore there are no ready-made test cases available. Instead, Test Suite creates test cases from sample data. Currently supported data types are text, binary and JSON.
One man's application is another man's input
Traditional protocol model based fuzzers is not always the best choice for application fuzzing. Codenomicon offers a wide variety of tools that can be used for application fuzzing, it is up to you to pick the right one for your needs:
- Universal fuzzer. One excellent way to fuzz test an application is a file fuzzer. An application that is used to view and edit photographs for example, can easily be fuzz tested using malformed picture files, while distorted mp3 files will take care of music application.
- Traffic capture fuzzer. It is also worthwhile to look at what kind of network traffic the application sends and receives. There may be registration information, software updates, or even social media plugins that produce a large number of different messages you can fuzz.
- Defensics for XML. XML is not a protocol in itself, but a versatile method for describing structures. It can be used for almost any purpose, hence its popularity in modern protocols, file formats and applications. There is hardly an industry where XML is not used. If the tested application uses XML, it is definitely worthwhile to do a bit XML fuzzing.
- Protocol / application specific fuzzers. If the tested application interacts with an open, standard-based interfaces (such as HTTP or vCard for example), the best testing coverage is achieved with a specification-based fuzzing tool designed to target the particular protocol used.
Contact us! Send us an email at firstname.lastname@example.org to learn more about application fuzzing options.