begood Posted May 14, 2010 Report Posted May 14, 2010 Hi everyone, Today’s blog post is going to be short and sweet because the Realex Payments 10th birthday party last night has slightly reduced my levels of creativity today! I don’t want that to take anything away from the content in today’s blog though. The project I’m going to look at today should be a “must know/use” for all web application security testers in my opinion. The same probably applies to anyone developing a web application security testing tool. The FuzzDB project was created by Adam Muntner to give web application security testers a set of payloads which were representative of real world attack inputs/payloads. The reasons for creating the FuzzDB have been explained in detail on Adam’s blog but I have included the explanation from the Google code project page below: Why was fuzzdb created? The sets of payloads currently built in to open source fuzzing and scanning software is poorly representative of the total body of potential attack patterns. Commercial scanners are a bit better, but not much, and tend to lock these patterns away in obfuscated binaries. It’s impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise. The volume of patterns collected in fuzzdb implies that much application security testing in the past has utilized incomplete sets of malformed input test cases. Fuzzdb was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an open source license. It is immediately usable by web application penetration testers and security researchers, and the license permits it’s use in improving the test cases built into open source and commercial testing software. The payloads were collected from a wide range of sources including RSnake’s XSS Cheat Sheet, commercial and open source scanners and researching old web exploits. How can I use the FuzzDB payloads? The easiest way to start using the FuzzDB payloads is to load them into the Burp Suite and use them with the Intruder tool. I wrote a tutorial for the Intruder tool recently which explains how to load payloads into the tool and test a web application, you can find the tutorial here. If you download the FuzzDB payloads you can select one of the payload files when you are defining your payloads in the Intruder tool. In the tutorial I used the grep option to identify any responses that contained the string “SQL syntax”. The FuzzDB provides a list of common application errors which you can load in to the grep function; this will allow you to identify any responses which include error strings such as “Microsoft OLE DB Provider for ODBC Drivers”. The FuzzDB wiki explains how to load the list of error strings in to the grep function. Links Burp Suite Intruder tool tutorial FuzzDB project page Adam Muntner blog and Twitter profile SNImprove your security testing with the FuzzDB Security Ninja Quote
