CAPEC-28: Fuzzing

In this attack pattern, the adversary leverages fuzzing to try to identify weaknesses in the system. Fuzzing is a software security and functionality testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system. Fuzzing can help an attacker discover certain assumptions made about user input in the system. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions despite not necessarily knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve their goals.

Medium

Typical severity

Per MITRE

High

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

CAPEC-28: Fuzzing

Overview

How the attack works

What the attacker needs

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Frequently asked questions

What is CAPEC-28?

How does a Fuzzing attack work?

How do you prevent CAPEC-28?

What weaknesses does CAPEC-28 target?

How severe is CAPEC-28?

References

Defend against CAPEC-28