hi every one !
i recently write a paper about open source WAVS .
I am confused about the fuzzing test and the black box testing.
can anyone tell me the similarities and differences between them ?
thx for u precious time !
--
FIT1-213
Department of Computer Science
Tsinghua University, Beijing, 100084
http://about.me/anakin/bio
"Black-box" - outlines the capabalities of a tester (i.e. provide input
and check output).
"Fuzzing" - outlines an idea for reaching the goal of testing. There
are different goals: security, acceptance, functional, etc.
So sum the things up, these are different dimensions in testing:
capabilities, the goal of testing and the technique used to reach the goal.
For example, you can imagine white-box security testing using in-memmory
fuzzing with dynamic taint analysis.
Hope that helps.
Cheers,
Andrew
6/14/11 5:56 AM, 孙松柏 пишет:
hi every one !
i recently write a paper about open source WAVS .
I am confused about the fuzzing test and the black box testing.
can anyone tell me the similarities and differences between them ?
thx for u precious time !
--
FIT1-213
Department of Computer Science
Tsinghua University, Beijing, 100084
http://about.me/anakin/bio
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
In additional note, "efficent" fuzzing requires a little bit knowledge of
underlying functionality/code.
For example, to write very effective network fuzzer, you would need to know the
protocol in-and-out.
Similarly for writing file scanning fuzzer, you would need file format, its
specification.
Also, as Andrew points out, often you need very deep white box analysis to
understand results of fuzzing. For example, if it causes crash, then why, how
etc..
Rohit
From: Andrew Petukhov petand@lvk.cs.msu.su
To: 孙松柏 lukesun629@gmail.com
Cc: websecurity@lists.webappsec.org
Sent: Tue, June 14, 2011 11:08:11 AM
Subject: Re: [WEB SECURITY] the different between black box test and fuzzing
test .
"Black-box" - outlines the capabalities of a tester (i.e. provide input
and check output).
"Fuzzing" - outlines an idea for reaching the goal of testing. There
are different goals: security, acceptance, functional, etc.
So sum the things up, these are different dimensions in testing:
capabilities, the goal of testing and the technique used to reach the goal.
For example, you can imagine white-box security testing using in-memmory
fuzzing with dynamic taint analysis.
Hope that helps.
Cheers,
Andrew
6/14/11 5:56 AM, 孙松柏 пишет:
hi every one !
i recently write a paper about open source WAVS .
I am confused about the fuzzing test and the black box testing.
can anyone tell me the similarities and differences between them ?
thx for u precious time !
--
FIT1-213
Department of Computer Science
Tsinghua University, Beijing, 100084
http://about.me/anakin/bio
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org