-
Notifications
You must be signed in to change notification settings - Fork 1
/
_readme.txt
61 lines (37 loc) · 3.31 KB
/
_readme.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
fuzzdb: Web Fuzzing Discovery and Attack Pattern Database
****Introduction
Too much new software is vulnerable to the attack sequences of yesteryear. This suggests a testing approach: a comprehensive set of known attack pattern sequences can be leveraged for use in targeted fuzzing when testing for exploitable conditions in new applications.
This is especially useful for many filter bypass type exploits. Identical encoding sequences have been observed to bypass filters for more than one application. Examples can be observed in categories including xss, sqli, evil script upload, OS command execution, traversal issues, directory indexing bugs, source code revealing vulnerabilities, etc. In recent times, for example, new embedded webservers were discovered to be vulnerable to directory traversal issues triggered by encodings that exploited Microsoft IIS in 2000.
This approach is also useful for targeted use of brute force for discovery using, for example, lists of known vulnerable scripts sorted by platform type, default locations of critical files of popular apps, high quality lists of common directory names.
Primary sources used for attack pattern research:
-researching old web exploits for repeatable attack strings
-penetration tests i've performed in the past
-scraping scanner patterns from my own http logs
-various books, articles, blog posts
-documentation for popular applications
-analysis of default application installs
notable sources and other contributors:
-metasploit wmap http://www.metasploit.com/redmine/projects/framework/wiki/WMAP
-dirb http://www.open-labs.org/
-jbrofuzz http://www.owasp.org/index.php/Category:OWASP_JBroFuzz
-skipfish http://code.google.com/p/skipfish/
-rsnake's xss and rfi files http://ha.ckers.org/
-michael daw's web shell archive http://michaeldaw.org/
-joseph giron (joseph.giron13 (at) gmail.com)
-ron gutierrez - html tags and javascript events
-analysis of default app installs
-lists already submitted to OWASP Fuzzing Code DB by Wagner Elias, Eduardo Neves, Ulisses Castro, Adam Muntner http://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database#tab=News
Some files are derived primarily from other fuzzers, and are credited in the files with comments formatted like:
# This file is primarily derived from source xyz
Others have additional instructions for payload use in a similar comment format at the top of the file
****Download
Check out via svn:
svn checkout http://fuzzdb.googlecode.com/svn/trunk/ fuzzdb-read-only
Or, pick from a plethora of available svn clients: http://en.wikipedia.org/wiki/Comparison_of_Subversion_clients
Tarballs are available for download, but may not be as fresh as whats in the svn repo.
Browse the repo http://code.google.com/p/fuzzdb/source/browse/#svn/trunk
****Usage
I primarily use fuzzdb in the excellent OWASP ZAP (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) and in Burp Suite Pro (http://portswigger.net/suite/), however, it can be used in any web application/service fault injection tool, for manual testing as an interesting source of test cases for fuzzing binary applications, in IDS signatures, and more.
****Who
This SVN repository and the files were assembled by Adam Muntner who works as a Security Engineer at Mozilla Corp.
contact: unix23 (@) gmail.com