SlideShare a Scribd company logo

Fuzz DB

n|u - The Open Security Community
n|u - The Open Security Community

null Trivandrum Chapter - August 2013 Meet

EducationTechnology
1 of 17
Download to read offline
Attack and Discovery Pattern Database for Application Fuzz Testing Sajith Shetty
 Definition  Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi- malformed data injection in an automated fashion. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
fuzzdb is an open source database of attack patterns, predictable resource names, regex patterns for identifying interesting server responses, and documentation resources. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
Presentation title
 Predictable Resource Locations –  Sorted by platform type, language, and application, making brute force testing less brutish. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 Attack Patterns –  Categorized by :  Platform, Language, and Attack type  Attack Payloads:  information leakage  OS command injection  directory listings  directory traversals  source exposure  file upload bypass  XSS  SQL injection and more. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 Response Analysis –  predictable strings.  interesting error messages.  lists of common Session ID cookie names, and more.  Other useful stuff –  Webshells.  common password and username lists, and some handy wordlists.  Documentation –  Helpful documentation and cheat-sheets sourced from around the web that are relevant to the payload categories are also provided. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 The sets of payloads currently built in to open source fuzzing and scanning software are poorly representative of the total body of potential attack patterns.  Commercial scanners are a bit better, but not much. However, commercial tools also have a downside, in that that they tend to lock these patterns away in obfuscated binaries.  Furthermore, it's impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 FuzzDB was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an Open Source license. It is immediately usable by web application penetration testers and security researchers. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
Lots of hours of research while performing penetration tests:  analysis of default app installs  analysis of system and application documentation  analysis of error messages  researching old web exploits for repeatable attack strings  scraping scanner patterns from http logs  various books, articles, blog posts, mailing list threads  patterns gleaned from other open source fuzzers and pentest tools FuzzDB is like an open source web application security scanner, without the scanner. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 Burp Proxy's intruder module  Incorporate the patterns into Open Source software, or into your own commercial product. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
Fuzz DB

Recommended

Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
OpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsOpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsPrabindh Sundareson
 
Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...York University - Osgoode Hall Law School
 
ニコニコ動画でのHTML5
ニコニコ動画でのHTML5ニコニコ動画でのHTML5
ニコニコ動画でのHTML5Sho KUSANO
 
Bailey capítulo-6
Bailey capítulo-6Bailey capítulo-6
Bailey capítulo-6Ricardo DE Oliveira Ribeiro
 
Earth moon statistics
Earth moon statisticsEarth moon statistics
Earth moon statisticsRanjeet Dubey
 

Recommended

Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
OpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsOpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsPrabindh Sundareson
 
Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...York University - Osgoode Hall Law School
 
ニコニコ動画でのHTML5
ニコニコ動画でのHTML5ニコニコ動画でのHTML5
ニコニコ動画でのHTML5Sho KUSANO
 
Bailey capítulo-6
Bailey capítulo-6Bailey capítulo-6
Bailey capítulo-6Ricardo DE Oliveira Ribeiro
 
Earth moon statistics
Earth moon statisticsEarth moon statistics
Earth moon statisticsRanjeet Dubey
 
Ghgfgf
GhgfgfGhgfgf
Ghgfgfseries77
 
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxjQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxConstantin Titarenko
 
ePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and HowePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and Howpstadlerctl
 
Thermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C PresentationThermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C Presentationsforman1
 
case study on bride burning
case study on bride burningcase study on bride burning
case study on bride burningPriyansha Gupta
 
Design for Social Sharing Workshop
Design for Social Sharing WorkshopDesign for Social Sharing Workshop
Design for Social Sharing WorkshopRashmi Sinha
 
Top 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesTop 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesporichfergu
 
srthsrth
srthsrthsrthsrth
srthsrthnn2141485
 
Well known magazine name analysis
Well known magazine name analysisWell known magazine name analysis
Well known magazine name analysisshaunWhelan
 
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto
 
Wikihow howtomakespaghetti
Wikihow howtomakespaghettiWikihow howtomakespaghetti
Wikihow howtomakespaghettiopeyemiatilola1992
 
Sainico & Warom - LED Catalog
Sainico & Warom - LED CatalogSainico & Warom - LED Catalog
Sainico & Warom - LED Catalogsainico
 
Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Performics
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuiteNadim Kadiwala
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)JAINAM KAPADIYA
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malwareJoshua Saxe
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesKaashivInfoTech Company
 
Lis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesLis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesAlexisHarvey8
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 

More Related Content

Viewers also liked

ePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and HowePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and Howpstadlerctl
 
Thermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C PresentationThermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C Presentationsforman1
 
case study on bride burning
case study on bride burningcase study on bride burning
case study on bride burningPriyansha Gupta
 
Design for Social Sharing Workshop
Design for Social Sharing WorkshopDesign for Social Sharing Workshop
Design for Social Sharing WorkshopRashmi Sinha
 
Top 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesTop 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesporichfergu
 
Well known magazine name analysis
Well known magazine name analysisWell known magazine name analysis
Well known magazine name analysisshaunWhelan
 
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto
 
Sainico & Warom - LED Catalog
Sainico & Warom - LED CatalogSainico & Warom - LED Catalog
Sainico & Warom - LED Catalogsainico
 
Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Performics
 

Viewers also liked (13)

Ghgfgf
GhgfgfGhgfgf
Ghgfgf
 
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxjQuery: Events, Animation, Ajax
jQuery: Events, Animation, Ajax
 
ePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and HowePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and How
 
Thermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C PresentationThermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C Presentation
 
case study on bride burning
case study on bride burningcase study on bride burning
case study on bride burning
 
Design for Social Sharing Workshop
Design for Social Sharing WorkshopDesign for Social Sharing Workshop
Design for Social Sharing Workshop
 
Top 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesTop 8 chief business development officer resume samples
Top 8 chief business development officer resume samples
 
srthsrth
srthsrthsrthsrth
srthsrth
 
Well known magazine name analysis
Well known magazine name analysisWell known magazine name analysis
Well known magazine name analysis
 
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
 
Wikihow howtomakespaghetti
Wikihow howtomakespaghettiWikihow howtomakespaghetti
Wikihow howtomakespaghetti
 
Sainico & Warom - LED Catalog
Sainico & Warom - LED CatalogSainico & Warom - LED Catalog
Sainico & Warom - LED Catalog
 
Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014
 

Similar to Fuzz DB

Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malwareJoshua Saxe
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesKaashivInfoTech Company
 
Lis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesLis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesAlexisHarvey8
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingDEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingFelipe Prado
 
The return of an old enemy
The return of an old enemyThe return of an old enemy
The return of an old enemyDonSchado
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal PanchmahalkarPrajwal Panchmahalkar
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackersKirill Ermakov
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Papitha Velumani
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat Security Conference
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?EC-Council
 

Similar to Fuzz DB (20)

Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malware
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security Vulnerabilities
 
Lis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesLis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eagles
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scanners
 
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingDEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
 
The return of an old enemy
The return of an old enemyThe return of an old enemy
The return of an old enemy
 
Metapwn
MetapwnMetapwn
Metapwn
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
 
Burp documentation
Burp documentationBurp documentation
Burp documentation
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackers
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,Virag Sontakke
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 

Recently uploaded (20)

Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 

Fuzz DB

  • 1. Attack and Discovery Pattern Database for Application Fuzz Testing Sajith Shetty
  • 2.  Definition  Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi- malformed data injection in an automated fashion. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 3. fuzzdb is an open source database of attack patterns, predictable resource names, regex patterns for identifying interesting server responses, and documentation resources. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 5.  Predictable Resource Locations –  Sorted by platform type, language, and application, making brute force testing less brutish. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 6. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 7.  Attack Patterns –  Categorized by :  Platform, Language, and Attack type  Attack Payloads:  information leakage  OS command injection  directory listings  directory traversals  source exposure  file upload bypass  XSS  SQL injection and more. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 8. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 9.  Response Analysis –  predictable strings.  interesting error messages.  lists of common Session ID cookie names, and more.  Other useful stuff –  Webshells.  common password and username lists, and some handy wordlists.  Documentation –  Helpful documentation and cheat-sheets sourced from around the web that are relevant to the payload categories are also provided. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 10. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 11.  The sets of payloads currently built in to open source fuzzing and scanning software are poorly representative of the total body of potential attack patterns.  Commercial scanners are a bit better, but not much. However, commercial tools also have a downside, in that that they tend to lock these patterns away in obfuscated binaries.  Furthermore, it's impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 12.  FuzzDB was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an Open Source license. It is immediately usable by web application penetration testers and security researchers. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 13. Lots of hours of research while performing penetration tests:  analysis of default app installs  analysis of system and application documentation  analysis of error messages  researching old web exploits for repeatable attack strings  scraping scanner patterns from http logs  various books, articles, blog posts, mailing list threads  patterns gleaned from other open source fuzzers and pentest tools FuzzDB is like an open source web application security scanner, without the scanner. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 14.  Burp Proxy's intruder module  Incorporate the patterns into Open Source software, or into your own commercial product. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 15. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 16. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing