Boundary testing
occurs when you go after the bounds of expected input. You test the
edges of
the maximum or minimum values, and just outside the maximum or mini‐
mum—checking for errors and correct handling of the input.
Sending applications data they don’t expect is a way to identify bugs in a program.
You may get error messages that provide information that may be useful, or you may
get a program crash. One way of accomplishing this is to use a class of applications
called
fuzzers
. A fuzzer generates random or variable data to provide to an applica‐
tion. The input is programmatically generated based on a set of rules.
Fuzzing may be considered black-box
testing by some people,
because the fuzzing program has no knowledge of the inner work‐
ings of the service application. It sends in data, regardless of what
the program is expecting the input to look like. Black-box testing is
about viewing the software under test as a black box—the inner
workings can’t be seen. Even if you
have access to the source code,
you are not developing the tests you run with a fuzzer with respect
to the way the source code looks. From that standpoint, the appli‐
cation may as well be a black box, even if you have the source code.
Kali has a few fuzzers installed and more that can be installed. The first one to look at,
sfuzz
, used to send network traffic to servers.
sfuzz
has a collection
of rules files that
tells the program how to create the data that is being sent. Some of these are based on
