Dailydave mailing list archives
Re: sfuzz released
From: Aaron <apconole () yahoo com>
Date: Tue, 10 Mar 2009 07:14:18 -0700 (PDT)
I'm not sure what you're saying? I could be an idiot, but are you implying that regardless of technology black box testing is useless? I'll have to respectfully disagree there. If you deploy a service, any service, then your users WILL be treating it like a black box. It doesn't matter if those users are the general public or if your product has nothing to do with web apps (maybe its a coporate database); testing it in this manner is much more time saving than having to run through line by line. As far as only testing WAF, the scripts that it has may not currently be "good enough" for testing a web app firewall. However, this can test more than just the integrity of your WAF (which we can probably all agree is useful anyway to verify that the firewall has no bugs). I'm using it for a different service at work entirely.
For example, the core rule of mod_security dropped all the attempt of sfuzz. Just for putting an other eye on the matter.
The point of the basic files were just to be examples =) I'm glad they're bad though... shows how much I really know about security/pentesting. Feel free to add any strings you think might _not_ be caught, or test cases you think might be useful and try again. Lord knows 0.1 is only a first blush at something. Anyway, this was released in the hopes that someone might derive some benefit from it, besides myself. I had to release it openly if I ever wanted to use it on a side project so I figured I might as well let people know about it while I did it. -Aaron ________________________________ From: yersinia <yersinia.spiros () gmail com> To: Aaron <apconole () yahoo com> Cc: dailydave () lists immunitysec com Sent: Tuesday, March 10, 2009 4:40:48 AM Subject: Re: [Dailydave] sfuzz released On Mon, Mar 9, 2009 at 4:43 PM, Aaron <apconole () yahoo com> wrote: Hello security people, In the course of doing some work at my current place of employment, it has become necessary for us to do some SQA / blackbox testing, and while my first reach may have been SPIKE, alas our SQA folks don't have the time/patience/whatever to be able to build solid cases with it. So, doing what any good doobie does, I wrote a fuzzer that should be able to allow testing of commandline options, network processes, etc, called simple fuzzer. It can be found at http://aconole.brad-x.com/programs/sfuzz.html . It's reminiscent of easyfuzz from priest (whatever happened to those guys?). Hopefully, someone can find some use for it as a first-line fuzzer to be used in conjunction with SPIKE and other fuzzers. As more and more user begin to use WAF as mod_security and the like (in negative and positive model) fuzzer as sfuzz began to be useless. For example, the core rule of mod_security dropped all the attempt of sfuzz. Just for putting an other eye on the matter. Best Regards
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- sfuzz released Aaron (Mar 09)
- Re: sfuzz released yersinia (Mar 10)
- Re: sfuzz released Aaron (Mar 10)
- Re: sfuzz released yersinia (Mar 10)