wheslick.blogg.se

Unfortunately, even with the API schema, or open API, it’s hard to tell how the API endpoints and calls should interference with each other – you cannot basically define the policies. Fuzzing requires deep integration and deep understanding with the application business logic. It can be caught or triggered but pretty hard to check if it can happen or it already happened as well as credential stuff and brute force attack, API, business logic abuse and others. The sum of attacks could also be behavioral for example, it is difficult to make fuzzing test and find risk conditions. But the amount of payloads is not the only difference between fuzzing and attack simulation The fuzzing is technically like an infinite universe or a particular planet or piece that we can cover as an attack simulator. There is an infinite amount of fuzzing payloads growing like the universe expansion – which means you can apply more ideas, more templates, random data and random fields. The basic difference is the fuzzing payloads.Ĭomparing fuzzing and attack simulation is synonymous to comparing any particular planet to the universe as a whole. They are technically the fuzzing tools of others. If you are familiar with the API security tools available in open source, you can easily tell that a lot of them are fuzzing. ‍ What’s the difference between Attack Simulation and Fuzzing?