SlideShare a Scribd company logo

Fuzz DB

n|u - The Open Security Community
n|u - The Open Security Community

null Trivandrum Chapter - August 2013 Meet

EducationTechnology
1 of 17
Download to read offline
Attack and Discovery Pattern Database for Application Fuzz Testing Sajith Shetty
 Definition  Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi- malformed data injection in an automated fashion. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
fuzzdb is an open source database of attack patterns, predictable resource names, regex patterns for identifying interesting server responses, and documentation resources. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
Presentation title
 Predictable Resource Locations –  Sorted by platform type, language, and application, making brute force testing less brutish. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 Attack Patterns –  Categorized by :  Platform, Language, and Attack type  Attack Payloads:  information leakage  OS command injection  directory listings  directory traversals  source exposure  file upload bypass  XSS  SQL injection and more. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 Response Analysis –  predictable strings.  interesting error messages.  lists of common Session ID cookie names, and more.  Other useful stuff –  Webshells.  common password and username lists, and some handy wordlists.  Documentation –  Helpful documentation and cheat-sheets sourced from around the web that are relevant to the payload categories are also provided. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 The sets of payloads currently built in to open source fuzzing and scanning software are poorly representative of the total body of potential attack patterns.  Commercial scanners are a bit better, but not much. However, commercial tools also have a downside, in that that they tend to lock these patterns away in obfuscated binaries.  Furthermore, it's impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 FuzzDB was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an Open Source license. It is immediately usable by web application penetration testers and security researchers. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
Lots of hours of research while performing penetration tests:  analysis of default app installs  analysis of system and application documentation  analysis of error messages  researching old web exploits for repeatable attack strings  scraping scanner patterns from http logs  various books, articles, blog posts, mailing list threads  patterns gleaned from other open source fuzzers and pentest tools FuzzDB is like an open source web application security scanner, without the scanner. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 Burp Proxy's intruder module  Incorporate the patterns into Open Source software, or into your own commercial product. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
Fuzz DB

Recommended

Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
OpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsOpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsPrabindh Sundareson
 
Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...York University - Osgoode Hall Law School
 
ニコニコ動画でのHTML5
ニコニコ動画でのHTML5ニコニコ動画でのHTML5
ニコニコ動画でのHTML5Sho KUSANO
 
Bailey capítulo-6
Bailey capítulo-6Bailey capítulo-6
Bailey capítulo-6Ricardo DE Oliveira Ribeiro
 
Earth moon statistics
Earth moon statisticsEarth moon statistics
Earth moon statisticsRanjeet Dubey
 

Recommended

Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
OpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsOpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsPrabindh Sundareson
 
Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...York University - Osgoode Hall Law School
 
ニコニコ動画でのHTML5
ニコニコ動画でのHTML5ニコニコ動画でのHTML5
ニコニコ動画でのHTML5Sho KUSANO
 
Bailey capítulo-6
Bailey capítulo-6Bailey capítulo-6
Bailey capítulo-6Ricardo DE Oliveira Ribeiro
 
Earth moon statistics
Earth moon statisticsEarth moon statistics
Earth moon statisticsRanjeet Dubey
 
Ghgfgf
GhgfgfGhgfgf
Ghgfgfseries77
 
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxjQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxConstantin Titarenko
 
ePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and HowePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and Howpstadlerctl
 
Thermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C PresentationThermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C Presentationsforman1
 
case study on bride burning
case study on bride burningcase study on bride burning
case study on bride burningPriyansha Gupta
 
Design for Social Sharing Workshop
Design for Social Sharing WorkshopDesign for Social Sharing Workshop
Design for Social Sharing WorkshopRashmi Sinha
 
Top 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesTop 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesporichfergu
 
srthsrth
srthsrthsrthsrth
srthsrthnn2141485
 
Well known magazine name analysis
Well known magazine name analysisWell known magazine name analysis
Well known magazine name analysisshaunWhelan
 
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto
 
Wikihow howtomakespaghetti
Wikihow howtomakespaghettiWikihow howtomakespaghetti
Wikihow howtomakespaghettiopeyemiatilola1992
 
Sainico & Warom - LED Catalog
Sainico & Warom - LED CatalogSainico & Warom - LED Catalog
Sainico & Warom - LED Catalogsainico
 
Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Performics
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuiteNadim Kadiwala
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)JAINAM KAPADIYA
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malwareJoshua Saxe
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesKaashivInfoTech Company
 
Lis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesLis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesAlexisHarvey8
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 

More Related Content

Viewers also liked

ePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and HowePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and Howpstadlerctl
 
Thermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C PresentationThermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C Presentationsforman1
 
case study on bride burning
case study on bride burningcase study on bride burning
case study on bride burningPriyansha Gupta
 
Design for Social Sharing Workshop
Design for Social Sharing WorkshopDesign for Social Sharing Workshop
Design for Social Sharing WorkshopRashmi Sinha
 
Top 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesTop 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesporichfergu
 
Well known magazine name analysis
Well known magazine name analysisWell known magazine name analysis
Well known magazine name analysisshaunWhelan
 
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto
 
Sainico & Warom - LED Catalog
Sainico & Warom - LED CatalogSainico & Warom - LED Catalog
Sainico & Warom - LED Catalogsainico
 
Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Performics
 

Viewers also liked (13)

Ghgfgf
GhgfgfGhgfgf
Ghgfgf
 
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxjQuery: Events, Animation, Ajax
jQuery: Events, Animation, Ajax
 
ePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and HowePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and How
 
Thermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C PresentationThermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C Presentation
 
case study on bride burning
case study on bride burningcase study on bride burning
case study on bride burning
 
Design for Social Sharing Workshop
Design for Social Sharing WorkshopDesign for Social Sharing Workshop
Design for Social Sharing Workshop
 
Top 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesTop 8 chief business development officer resume samples
Top 8 chief business development officer resume samples
 
srthsrth
srthsrthsrthsrth
srthsrth
 
Well known magazine name analysis
Well known magazine name analysisWell known magazine name analysis
Well known magazine name analysis
 
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
 
Wikihow howtomakespaghetti
Wikihow howtomakespaghettiWikihow howtomakespaghetti
Wikihow howtomakespaghetti
 
Sainico & Warom - LED Catalog
Sainico & Warom - LED CatalogSainico & Warom - LED Catalog
Sainico & Warom - LED Catalog
 
Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014
 

Similar to Fuzz DB

Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malwareJoshua Saxe
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesKaashivInfoTech Company
 
Lis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesLis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesAlexisHarvey8
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingDEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingFelipe Prado
 
The return of an old enemy
The return of an old enemyThe return of an old enemy
The return of an old enemyDonSchado
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal PanchmahalkarPrajwal Panchmahalkar
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackersKirill Ermakov
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Papitha Velumani
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat Security Conference
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?EC-Council
 

Similar to Fuzz DB (20)

Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malware
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security Vulnerabilities
 
Lis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesLis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eagles
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scanners
 
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingDEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
 
The return of an old enemy
The return of an old enemyThe return of an old enemy
The return of an old enemy
 
Metapwn
MetapwnMetapwn
Metapwn
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
 
Burp documentation
Burp documentationBurp documentation
Burp documentation
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackers
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...anjaliyadav012327
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 

Recently uploaded (20)

The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 

Fuzz DB

  • 1. Attack and Discovery Pattern Database for Application Fuzz Testing Sajith Shetty
  • 2.  Definition  Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi- malformed data injection in an automated fashion. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 3. fuzzdb is an open source database of attack patterns, predictable resource names, regex patterns for identifying interesting server responses, and documentation resources. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 5.  Predictable Resource Locations –  Sorted by platform type, language, and application, making brute force testing less brutish. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 6. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 7.  Attack Patterns –  Categorized by :  Platform, Language, and Attack type  Attack Payloads:  information leakage  OS command injection  directory listings  directory traversals  source exposure  file upload bypass  XSS  SQL injection and more. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 8. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 9.  Response Analysis –  predictable strings.  interesting error messages.  lists of common Session ID cookie names, and more.  Other useful stuff –  Webshells.  common password and username lists, and some handy wordlists.  Documentation –  Helpful documentation and cheat-sheets sourced from around the web that are relevant to the payload categories are also provided. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 10. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 11.  The sets of payloads currently built in to open source fuzzing and scanning software are poorly representative of the total body of potential attack patterns.  Commercial scanners are a bit better, but not much. However, commercial tools also have a downside, in that that they tend to lock these patterns away in obfuscated binaries.  Furthermore, it's impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 12.  FuzzDB was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an Open Source license. It is immediately usable by web application penetration testers and security researchers. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 13. Lots of hours of research while performing penetration tests:  analysis of default app installs  analysis of system and application documentation  analysis of error messages  researching old web exploits for repeatable attack strings  scraping scanner patterns from http logs  various books, articles, blog posts, mailing list threads  patterns gleaned from other open source fuzzers and pentest tools FuzzDB is like an open source web application security scanner, without the scanner. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 14.  Burp Proxy's intruder module  Incorporate the patterns into Open Source software, or into your own commercial product. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 15. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 16. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing