Twitter
« Exploiting Integer Based SQL Injection in Nested SQL Queries | Main | When Domain Admin Is Not Enough »
Tuesday
Sep242013

Fuzzing FIX

FIX (Financial Information eXchange) is a transaction protocol we come across quite often when assessing trading systems, especially those which span multiple organizations. Having come across these systems a number of times, GDS opted to create a FIX specific assessment tool to enable us to more efficiently assess FIX based solutions.  The main idea was to create a tool which can be extended with new tests in order assess a variety of implementations. After cleaning up the code somewhat, we are now choosing to release this tool to the public. Although it only includes a relatively small number of the checks we perform on such an engagement, it should help provide a starting point for testing a wide variety of FIX receivers. 

When we get an opportunity, we will provide a more detailed walkthrough of using and extending the tool, however to leverage the tool in the meantime, record a FIX conversation between a client and receiver using a packet capture utility such as Wireshark or TCPDump.  Feed this capture file in to the tool, and the messages and a login request will be extracted to serve as a baseline for fuzzing.  The tool will issue a new login request for every message in order to help prevent one session from clouding another.  It also has the ability to keep track of (and automatically update) sequence numbers and respond to resend requests.  The source code can be found on our public Github page at https://github.com/GDSSecurity/Fizzer.

Reader Comments (1)

Hi, thanks for releasing such a great tool! Q: How you monitor the target endpoint for results? Am not sure how to see if tests like dir traversal or cmd injection are successful. Also - what's the most common vuln you see with the test cases?
October 9, 2013 | Unregistered CommenterFernando

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.