Skip to content
Khaled Yakdan4 min read

What Bugs Can You Find With Fuzzing?

Modern fuzz testing is one of the most effective methods to find bugs and vulnerabilities in software. It is so effective because it runs the application with dynamic inputs to provoke unexpected or erroneous behavior. Modern fuzzing engines can also retrieve feedback from previous inputs to generate new and more advanced fuzzing queries. They are optimized to improve your code coverage and detect all types of bug classes.

Since 2018, Code intelligence provides a platform for automated fuzz testing. Working closely together with industry and academia, the engineers at Code Intelligence were able to extend the reach of modern fuzz testing to a variety of different use cases. In this article, you will find an overview of some of the bug classes that the CI team found over the past years.*

* Please note that for confidential reasons, not all findings are included in this blog. If you are interested in a specific bug class, please contact our experts.

Bugs and CWE's Found Through Code Intelligence Fuzzing in C/C++


CWE-119 Improper Restriction of Operations Within the Bounds of a Memory Buffer CWE-416 Use After Free
CWE-823 Use of Out-of-Range Pointer Offset CWE-476 NULL Pointer Dereference
CWE-786 Access of Memory Location Before Start of Buffer CWE-590 Free Memory Not on the Heap
CWE-680 Integer Overflow to Buffer Overflow CWE-362 Signal Handler Race Condition
CWE-466 Return of Pointer Value Outside of Expected Range CWE-366 Race Condition Within a Thread
CWE-787  Out-of-Bounds Write CWE-367 Time-of-Check Time-of-Use (TOCTOU) Race Condition
CWE-125 Out-of-Bounds Read CWE-368 Context Switching Race Condition
CWE-129 Improper Validation of Array Index CWE-421 Race Condition During Access to Alternate Channel
CWE-193 Incorrect Calculation of Buffer Size CWE-1223 Context Switching Race Condition
CWE-193 Off-by-One Error CWE-662 Improper Synchronization
CWE-195 Signed to Unsigned Conversion Error CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
CWE-839 Numeric Range Comparison Without Minimum Check CWE-562 Return of Stack Variable Address
CWE-843 Access of Resource Using Incompatible Type ("Type Confusion") CWE-587 Assignment of a Fixed Address to a Pointer
CWE-1257 Improper Access Control Applied to Mirrored or Aliased Memory Ranges CWE-588 Attempt to Access Child of a Non-Structure Pointer
CWE-190 Integer Overflow or Wraparound CWE-1102 Reliance on Machine-Dependent Third-Party Components
CWE-20 Improper Input Validation CWE-1105 Insufficient Encapsulation of Machine-Dependent Functionality
CWE-415 Double Free    

 

What Bugs Can You Find With Fuzzing in C/C++?

Memory Buffer Errors

  • Buffer Overflow
  • Incorrect Calculation of Buffer Size
  • Free of Memory not on the Heap
  • Integer Overflow to Buffer Overflow
  • Access of Memory Location Before Start of Buffer
  • Improper Access Control Applied to Mirrored or Aliased Memory Regions
  • Improper Handling of Overlap Between Protected Memory Ranges
  • Double-Free
  • Out-of-bounds Read
  • Out-of-bounds Write
  • Dangling pointer

Data Validation Issues

  • Out-of-bounds array index
  • Object Type Confusion
  • Improper Input Validation

Pointer Issues

  • Return of Pointer Value Outside of Expected Range
  • NULL Pointer Dereference
  • Assignment of a Fixed Address to a Pointer
  • Attempt to Access Child of a Non-structure Pointer
  • Untrusted pointer offset

Numeric Errors

  • Integer Overflow or Wraparound
  • Off-by-five
  • Numeric Range Comparison Without Minimum Check

Concurrency Issues

  • Signal Handler Race Condition
  • Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization) 
  • Race Condition within a Thread
  • Time Of Check To Time Of Use
  • Race Condition During Access to Alternate Channel
  • Context Switching Race Condition 
  • Race Condition for Write-Once Attributes
  • Improper Synchronization 

Bad Coding Practices

  • Return of Stack Variable Address 
  • Reliance on machine-dependent Data Representation 
  • Use of platform-dependent Third Party Components 

Info Box: Fuzzing With Sanitizers

Some bugs can not be detected by fuzzing alone. To trigger these more complex vulnerabilities, you will have to use additional sanitizers. For example, ThreadSanitizer for race conditions, or AddressSanitizer for memory buffer errors. These sanitizers are software libraries that you compile into your code to make your program crash more often.  The CI Fuzz testing platform can help you to set up and configure those sanitizers, in order to improve your code coverage. Click here to learn more about sanitizers

 

What Bugs Can You Find With Fuzzing in Java?

Fuzz testing is also an effective approach for finding security vulnerabilities in memory-safe languages. With our fuzzing engine for Java, we regularly uncover all kinds of bugs in JVM-based customer projects. Here is a list of some typical bugs we find during security testing for Java applications:

Data Validation Errors

  • Injection 
  • Exposure of Sensitive Information to an Unauthorized Actor 
  • XML External Entities (XXE) 
  • Sensitive Data Exposure
  • Generation of Error Message Containing Sensitive Information 
  • Cross-Site Scripting XSS 

Logic Issues

  • Logic issue: bypass security features 

Audit/Logging Errors

  • Logging of Excessive Data 
  • Insufficient Logging
  • Insufficient Logging & Monitoring
  • Broken Authentication
  • Broken Access Control

Cookie Issues

  • Sensitive Cookie with Improper SameSite Attribute 
  • Sensitive Cookie Without 'HttpOnly' Flag 
  • Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Other Issues

  • Denial of Service (DoS) 
  • Infinite Loop
  • Security Misconfiguration 
  • Insecure Deserialization 
  • Using Components with Known Vulnerabilities 
  • Uncaught Exceptions

 

Although our fuzzing engine already uncovers a large variety of different bug classes, we are constantly improving and fine-tuning our platform, to make security testing more usable and accessible for everyone. For an in-depth look at Code Intelligence's tech, book a demo.

 

Related Articles