Enhancing AppSec through Fuzzing in CI/CD Pipelines

name: fuzz

on:
  push:
    branches:
      - main
  pull_request:

jobs:
  fuzz:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Go
        uses: actions/setup-go@v2
        with:
          go-version: <version>

      - name: Install dependencies
        run: go mod tidy

      - name: Run Fuzzing
        run: go test -fuzz=<fuzz-function> -fuzztime=60s

stages:
  - fuzz

fuzz:
  stage: fuzz
  image: golang:<version>
  script:
    - go mod tidy
    - go test -fuzz=<fuzz-function> -fuzztime=60s

package main

import (
    "log"
    "net/http"
    "net/url"
)

func handleUserURL(input string) {
    parsedURL, err := url.Parse(input)
    if err != nil {
        log.Printf("Failed to parse URL: %v", err)
        return
    }
    log.Printf("Parsed URL: Host=%s, Hostname=%s, Port=%s", parsedURL.Host, parsedURL.Hostname(), parsedURL.Port())
}

func main() {
    http.HandleFunc("/example", func(w http.ResponseWriter, r *http.Request) {
        input := r.URL.Query().Get("input")
        handleUserURL(input)
    })
    http.ListenAndServe(":8080", nil)
}

package main

import (
    "net/url"
    "testing"
)

func FuzzURLParse(f *testing.F) {
    f.Add("javascript://alert(1)")

    f.Fuzz(func(t *testing.T, input string) {
        parsedURL, err := url.Parse(input)
        if err != nil {
            t.Logf("Failed to parse URL: %v", err)
            return
        }
        host := parsedURL.Hostname()
        port := parsedURL.Port()

        switch parsedURL.Host {
        case host + ":" + port:
            return
        case "[" + host + "]" + port:
            return
        case host:
            fallthrough
        case "[" + host + "]":
            if port != "" {
                panic("unexpected Port()")
            }
            return
        }
        t.Logf("Parsed URL: Host=%s, Hostname=%s, Port=%s", parsedURL.Host, parsedURL.Hostname(), parsedURL.Port())
    })
}

go test -fuzz=FuzzURLParse -fuzztime=60s

// ParseRequestURI parses a raw url into a [URL] structure. It assumes that
// url was received in an HTTP request, so the url is interpreted
// only as an absolute URI or an absolute path.
// The string url is assumed not to have a #fragment suffix.
// (Web browsers strip #fragment before sending the URL to a web server.)
func ParseRequestURI(rawURL string) (*URL, error) {
    url, err := parse(rawURL, true)
    if err != nil {
        return nil, &Error{"parse", rawURL, err}
    }
    return url, nil
}

Get A Demo

GH Actions changed-files supply chain attack: What happened?

Cenk Kalpakoğlu - 18 Mar 2025

Customizable Roles and Permission in ASPM Platforms

Can Taylan Bilgin - 27 Feb 2025

The Advantage of Using VEX SBOMs

Ben Strozykowski - 18 Feb 2025

Generating build-time SBOMs with CycloneDX and Kondukto

Luis Pereira - 20 Jan 2025

Okta vulnerability explained (bcrypt auth bypass)

Cenk Kalpakoğlu - 05 Nov 2024

eBPF Vulnerabilities: Ecosystem and Security Model

Andreas Wiese - 31 Oct 2024

Ruby affected by CVE-2024-45409

Kondukto Security Team - 09 Oct 2024

Secure CodingAppSec

Linux Kernel effected by CVE-2023-2163

Kondukto Security Team - 04 Oct 2024

ASPMDevSecOps

Empowering Developers in AppSec: Scaling and Metrics

Andreas Wiese - 19 Sep 2024

DevSecOpsAppSecASPM

Protecting APIs of Modern Applications

Kondukto Security Team - 13 Sep 2024

DevSecOpsAppSec

Empowering Developers in AppSec: Triage and Collaboration

Andreas Wiese - 09 Sep 2024

DevSecOpsSecure CodingAppSec

Enhancing Vulnerability Management with Threat Intelligence

Andreas Wiese - 20 Aug 2024

AppSecUnified Vulnerability Management

Git SCM affected by CVE-2024-32002

Ali Köse - 20 Jun 2024

Unified Vulnerability ManagementDevSecOps

Bring-Your-Own-Data (BYOD) to the Kondukto Platform

Cenk Kalpakoğlu - 04 Jun 2024

Google Cloud affected by CVE-2021-30476

Kondukto Security Team - 13 May 2024

DevSecOpsUnified Vulnerability Management

kntrl integrates Open Policy Agent

Cenk Kalpakoğlu - 09 May 2024

Supply Chain SecurityDevSecOpskntrl

4 Ways to Improve AppSec Accountability

Andreas Wiese - 02 May 2024

Secure CodingSASTAppSec

Securing CI/CD Runners through eBPF

Cenk Kalpakoğlu - 01 Apr 2024

AppSecSupply Chain Securitykntrl

Introducing kntrl: Enhancing CI/CD Security with eBPF

Cenk Kalpakoğlu - 14 Mar 2024

kntrlSupply Chain SecurityDevSecOps

Supply Chain Security Snags

Andreas Wiese - 07 Mar 2024

Supply Chain SecuritySBOMDevSecOps

Microsoft Azure CLI affected by CVE-2022-39327

Kondukto Security Team - 28 Feb 2024

Unified Vulnerability ManagementAppSecDevSecOps

Splunk Enterprise affected by CVE-2023-40598

Kondukto Security Team - 05 Feb 2024

Unified Vulnerability ManagementAppSecDevSecOps

Running DAST in CI/CD for Regression Testing

Andreas Wiese - 23 Jan 2024

DASTDevSecOpsAppSec

Why SBOM Matters infographic

Andreas Wiese - 15 Jan 2024

Supply Chain SecuritySBOM

Create SBOM on Gradle with the CycloneDX Plugin

Alperen Örsdemir - 10 Jan 2024

ASPMSupply Chain SecuritySBOM

Enhancing Security with eBPF: Use Cases Explored

Cenk Kalpakoğlu - 28 Dec 2023

DevSecOpsContainer Security

A Look into Modern Security Orchestration

Can Taylan Bilgin - 26 Dec 2023

ASPMAppSecDevSecOps

How Malicious Code Enters Applications

Andreas Wiese - 07 Dec 2023

Supply Chain SecurityAppSecASPM

ASPM and Security Testing Orchestration

Can Taylan Bilgin - 28 Nov 2023

Supply Chain SecuritySASTASPM

Container Security: A Quick Overview

Andreas Wiese - 21 Nov 2023

Container SecurityDevSecOpsAppSec

Unveiling Java Library Vulnerabilities

Alperen Örsdemir - 31 Oct 2023

Supply Chain SecurityAppSec

Get Management Buy-in with AppSec Metrics

Cenk Kalpakoğlu - 17 Oct 2023

Secure CodingDevSecOpsAppSec

How to Streamline Vulnerability Management

Can Taylan Bilgin - 27 Sep 2023

ASPMDevSecOps

AI Remediation: A massive time-saver

Cenk Kalpakoğlu - 07 Sep 2023

Machine LearningSecure CodingAppSec

How to Shift-Left Better with Git Hooks

Cenk Kalpakoğlu - 22 Aug 2023

DevSecOpsAppSec

A Guide to Becoming a Product Security Engineer

Cenk Kalpakoğlu - 10 Jul 2023

AppSec

Top 10 Reasons To Implement An ASPM Right Now!

Can Taylan Bilgin - 30 May 2023

DevSecOpsAppSec

Demo Hub launched for Kondukto Technology Partners

Andreas Wiese - 25 Apr 2023

PartnershipsAppSecASPM

Winning Management Support as an AppSec Leader

Can Taylan Bilgin - 18 Apr 2023

DevSecOpsAppSec

How To Get Developer Buy-In For AppSec Programs

Can Taylan Bilgin - 08 Mar 2023

AppSecDevSecOps

How to integrate continuous API fuzzing into the CI/CD?

Cenk Kalpakoğlu - 17 Jan 2023

DevSecOpsAppSec

OpenAI (ChatGPT) Vulnerability Remediation Concept Work

Suphi Cankurt - 13 Dec 2022

Secure CodingAppSec

OWASP ASVS with your security testing tools

Suphi Cankurt - 28 Nov 2022

ASVSAppSec

Application Security Engineer: Salary, Skills, Requirements

Suphi Cankurt - 10 Oct 2022

AppSec

The Economics of ASPM

Can Taylan Bilgin - 27 Sep 2022

AppSec

Announcing Our Seed Round

Can Taylan Bilgin - 05 Sep 2022

What is Application Security Orchestration and Correlation?

Can Taylan Bilgin - 30 Aug 2022

AppSec

Dockerfile Security Best Practices with Semgrep

Cenk Kalpakoğlu - 25 Aug 2022

5 Essential Skills to Become a DevSecOps Engineer

Barış Ekin Yıldırım - 22 Jul 2022

DevSecOps

3 Ways Using ASVS Can Help Your Organization

Can Taylan Bilgin - 01 Jul 2022

ASVSDevSecOpsAppSec

How to boost SAST performance?

Cenk Kalpakoğlu - 20 Jun 2022

SASTDevSecOpsAppSec

Insecure Deserialization

Barış Ekin Yıldırım - 07 Jun 2022

Secure CodingAppSecInsecure Deserialization

How To Generate and Audit SBOM In a CI/CD Pipeline

Barış Ekin Yıldırım - 20 May 2022

Supply Chain SecurityDevSecOpsSBOM

Software Bill of Materials(SBOM) 101

Barış Ekin Yıldırım - 03 May 2022

Supply Chain SecuritySBOMDevSecOps

5 Common Mistakes in DevSecOps

Cenk Kalpakoğlu - 13 Apr 2022

DevSecOpsAppSec

5 Use Cases of Kondukto CLI in CI/CD pipelines

Can Taylan Bilgin - 24 Jan 2022

DevSecOpsAppSec

Vulnerability Management In Your GitFlow

Can Taylan Bilgin - 16 Sep 2021

Secure CodingAppSec

Security Training for Developers with Avatao

Can Taylan Bilgin - 05 Aug 2021

Secure CodingAppSec

The Essence of DevSecOps: Aligning Multiple Teams

Can Taylan Bilgin - 01 May 2021

DevSecOpsAppSec

How to Get the Most Out of Security Training for Developers

Can Taylan Bilgin - 23 Feb 2021

Secure CodingAppSec

Defensive Programming Tips-2: LDAP Injection

Cenk Kalpakoğlu - 21 Jan 2021

AppSecSecure Coding

4 Key Benefits of Application Security Orchestration

Can Taylan Bilgin - 30 Sep 2020

AppSec

Cybersecurity As a Marketing Activity

Can Taylan Bilgin - 25 Aug 2020

AppSec

Defensive Programming Tips-1: Bad URL Handling Patterns

Cenk Kalpakoğlu - 20 Jul 2020

AppSec

Software Developers : Scapegoats For Security Vulnerabilities

Can Taylan Bilgin - 18 Jun 2020

DevSecOps

5 Circular Phases of Sec in DevSecOps

Can Taylan Bilgin - 26 May 2020

DevSecOps

Keep Applications Secure While Keeping Your Distance

Can Taylan Bilgin - 08 Apr 2020

AppSec

DevOps vs DevSecOps Differences

Can Taylan Bilgin - 20 Feb 2020

DevSecOps

Secure Software Development Life Cycle: Beginners Guide

Can Taylan Bilgin - 23 Jan 2020

DevSecOps

How To Improve AppSec Posture For Starters

Can Taylan Bilgin - 29 Nov 2019

AppSec

Why Care About Application Security At All?

Can Taylan Bilgin - 14 Oct 2019

AppSec

Damage Limitation Strategies for Developers

Cenk Kalpakoğlu - 19 Sep 2019

Secure Coding

Automating Issue Assignment In Vulnerability Management

Kondukto - 01 Jul 2019

AppSec

What Is The Optimal Security Scan Time For My Applications?

Can Taylan Bilgin - 22 May 2019

AppSec

Keep An Eye On Your Remediation Performance

Can Taylan Bilgin - 11 Apr 2019

AppSec

Benefits of Using SAST And DAST In Tandem

Kondukto - 29 Jan 2019

SASTAppSec

Why Should “Heap Inspection” Not Be Marked As False Positive?

Cenk Kalpakoğlu - 09 Nov 2018

Secure CodingAppSec

Beginning AppSec Training Program for Developers

Cenk Kalpakoğlu - 10 Oct 2018

Secure Coding