Your SlideShare is downloading. ×
0
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Fuzz DB
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Fuzz DB

3,995

Published on

null Trivandrum Chapter - August 2013 Meet

null Trivandrum Chapter - August 2013 Meet

Published in: Education, Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,995
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
25
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Attack and Discovery Pattern Database for Application Fuzz Testing Sajith Shetty
  • 2.  Definition  Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi- malformed data injection in an automated fashion. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 3. fuzzdb is an open source database of attack patterns, predictable resource names, regex patterns for identifying interesting server responses, and documentation resources. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 4. Presentation title
  • 5.  Predictable Resource Locations –  Sorted by platform type, language, and application, making brute force testing less brutish. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 6. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 7.  Attack Patterns –  Categorized by :  Platform, Language, and Attack type  Attack Payloads:  information leakage  OS command injection  directory listings  directory traversals  source exposure  file upload bypass  XSS  SQL injection and more. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 8. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 9.  Response Analysis –  predictable strings.  interesting error messages.  lists of common Session ID cookie names, and more.  Other useful stuff –  Webshells.  common password and username lists, and some handy wordlists.  Documentation –  Helpful documentation and cheat-sheets sourced from around the web that are relevant to the payload categories are also provided. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 10. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 11.  The sets of payloads currently built in to open source fuzzing and scanning software are poorly representative of the total body of potential attack patterns.  Commercial scanners are a bit better, but not much. However, commercial tools also have a downside, in that that they tend to lock these patterns away in obfuscated binaries.  Furthermore, it's impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 12.  FuzzDB was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an Open Source license. It is immediately usable by web application penetration testers and security researchers. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 13. Lots of hours of research while performing penetration tests:  analysis of default app installs  analysis of system and application documentation  analysis of error messages  researching old web exploits for repeatable attack strings  scraping scanner patterns from http logs  various books, articles, blog posts, mailing list threads  patterns gleaned from other open source fuzzers and pentest tools FuzzDB is like an open source web application security scanner, without the scanner. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 14.  Burp Proxy's intruder module  Incorporate the patterns into Open Source software, or into your own commercial product. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 15. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 16. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing

×