Cross Platform Web based Fuzzing

Abstract

We use web applications on daily basis. Web applications are found on all sort of devices such as phones tablets, TVs and computers. As the utilization of web applications increases, the need to keep them safe also increases. Security in any type of software is an extremely important aspect, it is therefore, the responsibility of the software developers to keep the user’s data safe. Fuzzing, or Fuzz testing provides an informal way to test software’s and web applications without the need for human contact or experience. Web based fuzzing is not the same as, regular fuzzing. They do not produce any random input data themselves, but instead they use different word lists and other payloads as inputs for different purposes. This thesis compares the performance of the two command-line web fuzzers Wfuzz, Ffuf and a windows based tool called BurpSuite with each other. First assumption was that BurpSuite is the better tool because it is easier to install and use with a simple GUI. On the other hand, Wfuzz and Ffuf are command line tools with no GUI. Ffuf uses the least memory followed by Wfuzz and BurpSuite. While in CPU usage BurpSuite is the winner followed by Ffuf. For comparison Memory usage and CPU utilization were used. The final verdict of the comparison is that even though BurpSuite is easier to use with GUI but it is not open source although Ffuf is a newer tool and open source but the ideal choice is Wfuzz because it is well established and open source tool.