Question

Of course, fuzzing isn’t a magic cure-all solution for all bug detection. This technique has certain limitations, one of which is rate-limiting by the server. During a remote, black-box engagement, you might not be able to send in large numbers of payloads to the application without the server detecting your activity, or you hitting some kind of rate limit. This can cause your testing to slow down or the server might ban you from the service.

当然，模糊测试并非所有漏洞检测的万能解决方案。这种技术有一定的局限性，其中之一是服务器的速率限制。 在远程黑盒测试期间，您可能无法向应用程序发送大量有效负载数据而不被服务器检测到或命中某种速率限制。 这可能会使您的测试减慢，或者服务器可能会禁止您使用该服务。

In a black-box test, it can also be difficult to accurately evaluate the impact of the bug found through fuzzing, since you don’t have access to the code and so are getting a limited sample of the application’s behavior. You’ll often need to conduct further manual testing to classify the bug’s validity and significance. Think of fuzzing as a metal detector: it merely points you to the suspicious spots. In the end, you need to inspect more closely to see if you have found something of value.

在黑盒测试中，通过模糊测试找到的漏洞的影响评估可能也很难。因为你无法访问代码，只能得到应用程序行为的有限样本。通常需要进行进一步的手动测试，以确定漏洞的有效性和重要性。把模糊测试想象成金属探测器：它只是简单地指向了可疑的区域。最终，您需要进行更仔细的检查，以确定是否找到有价值的东西。

Another limitation involves the classes of bugs that fuzzing can find. Although fuzzing is good at finding certain basic vulnerabilities like XSS and SQL injection, and can sometimes aid in the discovery of new bug types, it isn’t much help in detecting business logic errors, or bugs that require multiple steps to exploit. These complex bugs are a big source of potential attacks and still need to be teased out manually. While fuzzing should be an essential part of your testing process, it should by no means be the only part of it.

另一个限制涉及模糊测试可以发现的漏洞类别。尽管模糊测试擅长发现某些基本漏洞，比如 XSS 和 SQL 注入，有时可以帮助发现新的漏洞类型，但是它在检测业务逻辑错误或需要多步操作才能利用的漏洞方面并没有太大帮助。这些复杂的漏洞是潜在攻击的重要来源，仍需要手动梳理。虽然模糊测试应该是测试过程的重要组成部分，但绝不应该是唯一的部分。