A virtual machine can now be downloaded from CERT that is setup to find vulnerabilities in applications using a method known as “dumb fuzzing”. It is based upon the zzuf application.

To begin fuzzing on your own, simply follow these steps:

1. Unzip scripts.zip to c:\fuzz
2. Unzip DebianFuzz.zip to a directory of your choice.
3. Open DebianFuzz.vmx with VMware.
4. Create a snapshot in VMware
5. Power on the VM

You may need to verify that the shared folder is enabled in the VM preferences. Other virtualization products may work with some additional configuration. See the README.txt file in scripts.zip for more details.

Download your very own BFF today and start fuzzing.

Application tests have been required in PCI under requirement six for some time, but nothing like this. I wonder if the availability and ease of fuzzing will be noted in this October’s update to the requirements.