[WEB SECURITY] the different between black box test and fuzzing test .

Rohit Pitke rohirp92 at yahoo.com
Mon Jun 20 05:42:01 EDT 2011


In additional note, "efficent" fuzzing requires a little bit knowledge of 
underlying functionality/code.

For example, to write very effective network fuzzer, you would need to know the 
protocol in-and-out.
Similarly for writing file scanning fuzzer, you would need file format, its 
specification.

Also, as Andrew points out, often you need very deep white box analysis to 
understand results of fuzzing. For example, if it causes crash, then why, how 
etc..

Rohit






________________________________
From: Andrew Petukhov <petand at lvk.cs.msu.su>
To: 孙松柏 <lukesun629 at gmail.com>
Cc: websecurity at lists.webappsec.org
Sent: Tue, June 14, 2011 11:08:11 AM
Subject: Re: [WEB SECURITY] the different between black box test and fuzzing 
test .

"Black-box" - outlines the capabalities of a tester (i.e. provide input
and check output).
"Fuzzing"  - outlines an idea for reaching the goal of testing. There
are different goals:  security, acceptance, functional, etc.

So sum the things up, these are different dimensions in testing:
capabilities, the goal of testing and the technique used to reach the goal.
For example, you can imagine white-box security testing using in-memmory
fuzzing with dynamic taint analysis.

Hope that helps.

Cheers,
Andrew

6/14/11 5:56 AM, 孙松柏 пишет:
> hi every one !
> i recently write a paper about open source WAVS .
> I am confused about the fuzzing test and the black box testing.
> can anyone tell me the similarities and differences between them ?
> thx for u precious time !
>
> -- 
> FIT1-213
> Department of Computer Science
> Tsinghua University, Beijing, 100084
> http://about.me/anakin/bio
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110620/7ef86598/attachment-0003.html>


More information about the websecurity mailing list