In keeping with our new tradition of crowdsourcing pen testing tool list topics (like this cloud pen testing list), we again put out our feelers on Twitter, Reddit, and LinkedIn to see what our next blog should be. Although this competition was a close one, it became clear that a blog post on fuzzing tools was the winner. So without any further ado, let’s get to the good stuff.
We’ll launch another poll very soon! Please vote when you see it.
Fuzzers to Add to Your Pen Testing Toolkit
#1 – LibFuzzer
Creator: The LLVM Project
Why We Like It: LibFuzzer offers the user coverage-guided fuzzing and provides immediate support for address sanitizers. It’s important to note that LibFuzzer needs to be integrated into an application or library in order for it to work. And if you’re performing black-box testing out of the box, LibFuzzer won’t be the fuzzer for the job.
Check out CVE-2017-3732, which was discovered using LibFuzzer. And watch a video of the fuzzer in action below!
#2 – American Fuzzy Lop (AFL, AFL++)
Creator: Michał Zalewski (@lcamtuf)
Why We Like It: AFL is another classic fuzzer – we couldn’t not include this popular tool. It’s been used to identify many well-known security bugs; you can see a comprehensive list here. According to creator Michal Zalewski, this fuzzer was specifically designed to be a tool for practical use, and its ease of use directly correlates with its popularity.
#3 – honggfuzz
Creator: Google
Why We Like It: Although somewhat similar to AFL, this fuzzer is still worth exploring due to its speed, capability, and versatility. And its CV is impressive; as Google states, “The only (to the date) vulnerability in OpenSSL with the critical score mark was discovered by honggfuzz.” Read about that particular security issue here.
#4 – boofuzz
Creator: Joshua Pereyda
Why We Like It: Boofuzz was built with one goal, and that was to “fuzz everything.” It’s the descendant of the Sully fuzzing framework, but boofuzz was designed as a new-and-improved version of Sully (you might actually recognize Sully and Boo as characters from the Disney film, “Monsters Inc.”) Its enhancements include an easier install experience, fewer bugs, and better recording of test data.
#5 – FFUF
Creator: ffuf
Why We Like It: FFUF’s strength is its “blazing fast speed.” Although it only does web fuzzing, if you need a fuzzer to work quickly, this is the tool for you! Also, fun fact: FFUF stands for “fuzz faster you fool.”
#6 – ToothPicker
Creator: Secure Mobile Networking Lab
Why We Like It: ToothPicker is a fuzzer designed for fuzzing iOS environments. The creators of this fuzzer successfully used it to detect a zero-click RCE bug in iOS (fixed in iOS 13.5). That alone speaks to its prowess. Additionally, you can adapt ToothPicker to target any platform running FRIDA.
Watch this presentation by Dennis Heinze to get a closer look at ToothPicker:
#7 – afl-unicorn
Creator: Nathan Voss/Battelle
Why We Like It: In short, this fuzzer is a “Unicorn mode” for AFL. This fuzzer requires emulating your code via Unicorn Engine, which is a multi-platform, multi-architecture CPU emulator framework. If you can emulate your code with Unicorn Engine, you can fuzz it with afl-unicorn. As creator Nathan Voss writes in “afl-unicorn Part 2: Fuzzing the Unfuzzable,” “Afl-unicorn bridges the gap between the thoroughness of fully manual research (i.e. reading disassembly/source) and the unmatched ease-of-use of AFL.”
#8 – Atheris
Creator: Google (again)
Why We Like It: It’s not the only Python-centric fuzzer out there (see PythonFuzz for example), but this coverage-guided Python fuzzing engine is one of the more powerful ones available. Google advises using Atheris in tandem with Address Sanitizer or Undefined Behavior Sanitizer when fuzzing native code as to detect additional security issues. Curious to see an example of a high-severity bug found with this fuzzer? Go here.
#9 – CI Fuzz
Creator: Code Intelligence
Why We Like It: It’s fitting to close with another potent fuzzer. CI Fuzz totes its ability to merge the best of testing methods Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Interactive Application Security Testing (IAST). Allegedly, this makes CI Fuzz a powerful way to find deep-rooted vulnerabilities and reduce false positives in the process. But don’t just take their word for it; take a look at this impressive list of CVEs found with CI Fuzz! (Note: This fuzzer is actually a paid product, as opposed to other entries on our list.)
Further Fuzzing Resources
Can’t get enough fuzzing in your life? We compiled some additional resources below, including a few from Bishop Fox’s Matt Keeley.
- “Get the Buzz on Fuzz Testing in Software Development” by Matt Keeley (Bishop Fox) – In January 2022, Matt Keeley gave a presentation on fuzzing as part of the Bishop Fox technical webcast series, Tool Talks. You can
- “An Intro to Fuzzing (AKA Fuzz Testing)” by Matt Keeley (Bishop Fox) – But before he presented that Tool Talk, Keeley authored this blog post providing a thorough crash course in fuzzing.
- “Awesome Fuzzing” by secfigo – This is a compilation of books, blog posts, tools, videos, courses, applications, etc., all dedicated to fuzzing. It’s really a one-stop shop for all things fuzzing.
- “Fuzzing for Beginners (KUGG teaches STÖK American Fuzzy Lop)” – This video shows Swedish hacker STÖK learning firsthand how to use American Fuzzy Lop/AFL, which was the second tool featured on our above list!
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
