hi every one ! i recently write a paper about open source WAVS . I am confused about the fuzzing test and the black box testing. can anyone tell me the similarities and differences between them ? thx for u precious time ! -- FIT1-213 Department of Computer Science Tsinghua University, Beijing, 100084 http://about.me/anakin/bio

"Black-box" - outlines the capabalities of a tester (i.e. provide input and check output). "Fuzzing" - outlines an idea for reaching the goal of testing. There are different goals: security, acceptance, functional, etc. So sum the things up, these are different dimensions in testing: capabilities, the goal of testing and the technique used to reach the goal. For example, you can imagine white-box security testing using in-memmory fuzzing with dynamic taint analysis. Hope that helps. Cheers, Andrew 6/14/11 5:56 AM, 孙松柏 пишет: > hi every one ! > i recently write a paper about open source WAVS . > I am confused about the fuzzing test and the black box testing. > can anyone tell me the similarities and differences between them ? > thx for u precious time ! > > -- > FIT1-213 > Department of Computer Science > Tsinghua University, Beijing, 100084 > http://about.me/anakin/bio > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

In additional note, "efficent" fuzzing requires a little bit knowledge of underlying functionality/code. For example, to write very effective network fuzzer, you would need to know the protocol in-and-out. Similarly for writing file scanning fuzzer, you would need file format, its specification. Also, as Andrew points out, often you need very deep white box analysis to understand results of fuzzing. For example, if it causes crash, then why, how etc.. Rohit ________________________________ From: Andrew Petukhov <petand@lvk.cs.msu.su> To: 孙松柏 <lukesun629@gmail.com> Cc: websecurity@lists.webappsec.org Sent: Tue, June 14, 2011 11:08:11 AM Subject: Re: [WEB SECURITY] the different between black box test and fuzzing test . "Black-box" - outlines the capabalities of a tester (i.e. provide input and check output). "Fuzzing" - outlines an idea for reaching the goal of testing. There are different goals: security, acceptance, functional, etc. So sum the things up, these are different dimensions in testing: capabilities, the goal of testing and the technique used to reach the goal. For example, you can imagine white-box security testing using in-memmory fuzzing with dynamic taint analysis. Hope that helps. Cheers, Andrew 6/14/11 5:56 AM, 孙松柏 пишет: > hi every one ! > i recently write a paper about open source WAVS . > I am confused about the fuzzing test and the black box testing. > can anyone tell me the similarities and differences between them ? > thx for u precious time ! > > -- > FIT1-213 > Department of Computer Science > Tsinghua University, Beijing, 100084 > http://about.me/anakin/bio > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org