Web application fuzz testing

Abstract

Security is very important aspect of a web application. Therefore security testing is needed to find vulnerabilities on web applications. One of security testing technique is fuzz testing. Fuzz testing or fuzzing is a software testing technique done by giving a set of invalid inputs to the application under test. Fuzz testing is usually done by a tool. In fuzz testing for web application, a set of HTTP requests will be sent to the application under test in order to see how the application behaves when getting various inputs. It would be better if fuzz testing for web application can run automatically on certain conditions. In this research, we develop a platform and tools for web application fuzz testing automation that can be integrated to Jenkins. The tool has been tested on web applications with known vulnerabilities. In 13 of the 15 test cases, the tool can successfully found the presence of vulnerabilities. Based on the results, most vulnerabilities can be detected based on HTTP response content.