Our new SANS research takes you inside the minds & methods of modern adversaries. Get the report ›

Our Top 9 Favorite Fuzzers

Bishop Fox's favorite nine fuzzing tools with purple fuzzy monster

Share

In keeping with our new tradition of crowdsourcing pen testing tool list topics (like this cloud pen testing list), we again put out our feelers on Twitter, Reddit, and LinkedIn to see what our next blog should be. Although this competition was a close one, it became clear that a blog post on fuzzing tools was the winner. So without any further ado, let’s get to the good stuff.

We’ll launch another poll very soon! Please vote when you see it.


Fuzzers to Add to Your Pen Testing Toolkit

#1 – LibFuzzer

Creator: The LLVM Project

Why We Like It: LibFuzzer offers the user coverage-guided fuzzing and provides immediate support for address sanitizers. It’s important to note that LibFuzzer needs to be integrated into an application or library in order for it to work. And if you’re performing black-box testing out of the box, LibFuzzer won’t be the fuzzer for the job.

Check out CVE-2017-3732, which was discovered using LibFuzzer. And watch a video of the fuzzer in action below! 

#2 – American Fuzzy Lop (AFL, AFL++)

Creator: Michał Zalewski (@lcamtuf)

Why We Like It: AFL is another classic fuzzer – we couldn’t not include this popular tool. It’s been used to identify many well-known security bugs; you can see a comprehensive list here. According to creator Michal Zalewski, this fuzzer was specifically designed to be a tool for practical use, and its ease of use directly correlates with its popularity.

#3 – honggfuzz

Creator: Google

Why We Like It: Although somewhat similar to AFL, this fuzzer is still worth exploring due to its speed, capability, and versatility. And its CV is impressive; as Google states, “The only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz.” Read about that particular security issue here.

#4 – boofuzz

Creator: Joshua Pereyda

Why We Like It: Boofuzz was built with one goal, and that was to “fuzz everything.” It’s the descendant of the Sully fuzzing framework, but boofuzz was designed as a new-and-improved version of Sully (you might actually recognize Sully and Boo as characters from the Disney film, “Monsters Inc.”) Its enhancements include an easier install experience, fewer bugs, and better recording of test data.

#5 – FFUF

Creator: ffuf

Why We Like It: FFUF’s strength is its “blazing fast speed.” Although it only does web fuzzing, if you need a fuzzer to work quickly, this is the tool for you! Also, fun fact: FFUF stands for “fuzz faster you fool.”

#6 – ToothPicker

Creator: Secure Mobile Networking Lab

Why We Like It: ToothPicker is a fuzzer designed for fuzzing iOS environments. The creators of this fuzzer successfully used it to detect a zero-click RCE bug in iOS (fixed in iOS 13.5). That alone speaks to its prowess. Additionally, you can adapt ToothPicker to target any platform running FRIDA.

Watch this presentation by Dennis Heinze to get a closer look at ToothPicker:

#7 – afl-unicorn

Creator: Nathan Voss/Battelle

Why We Like It: In short, this fuzzer is a “Unicorn mode” for AFL. This fuzzer requires emulating your code via Unicorn Engine, which is a multi-platform, multi-architecture CPU emulator framework. If you can emulate your code with Unicorn Engine, you can fuzz it with afl-unicorn. As creator Nathan Voss writes in “afl-unicorn Part 2: Fuzzing the Unfuzzable,” “Afl-unicorn bridges the gap between the thoroughness of fully manual research (i.e. reading disassembly/source) and the unmatched ease-of-use of AFL.”

#8 – Atheris

Creator: Google (again)

Why We Like It: It’s not the only Python-centric fuzzer out there (see PythonFuzz for example), but this coverage-guided Python fuzzing engine is one of the more powerful ones available. Google advises using Atheris in tandem with Address Sanitizer or Undefined Behavior Sanitizer when fuzzing native code as to detect additional security issues. Curious to see an example of a high-severity bug found with this fuzzer? Go here.

#9 – CI Fuzz 

Creator: Code Intelligence

Why We Like It: It’s fitting to close with another potent fuzzer. CI Fuzz totes its ability to merge the best of testing methods Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Interactive Application Security Testing (IAST). Allegedly, this makes CI Fuzz a powerful way to find deep-rooted vulnerabilities and reduce false positives in the process. But don’t just take their word for it; take a look at this impressive list of CVEs found with CI Fuzz! (Note: This fuzzer is actually a paid product, as opposed to other entries on our list.)

Further Fuzzing Resources

Can’t get enough fuzzing in your life? We compiled some additional resources below, including a few from Bishop Fox’s Matt Keeley.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Britt kemp

About the author, Britt Kemp

Community Manager

Britt Kemp is a Community Manager at Bishop Fox. Britt has been involved with the content, social media, and digital programs at the firm for the past several years. She has helped with some of the most popular Bishop Fox blog posts to date.

More by Britt

The Wolf in Sheep’s Clothing

See how low-risk exposures can become catalysts for destructive attacks.

Get the Free eBook

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.