Re: sfuzz released

[Aaron <apconole () yahoo com>]

I'm not sure what you're saying? I could be an idiot, but are you implying that regardless of technology black box 
testing is useless? I'll have to respectfully disagree there. 
If you deploy a service, any service, then your users WILL be treating it like a black box. It doesn't matter if those 
users are the general public or if your product has 
nothing to do with web apps (maybe its a coporate database); testing it in this manner is much more time saving than 
having to run through line by line.

As far as only testing WAF, the scripts that it has may not currently be "good enough" for testing a web app firewall. 
However, this can test more than just the 
integrity of your WAF (which we can probably all agree is useful anyway to verify that the firewall has no bugs). I'm 
using it for a different service at work entirely.


> For example, the core rule of mod_security dropped all the attempt of sfuzz. Just for putting an other eye on the 
> matter. 
The point of the basic files were just to be examples =) I'm glad they're bad though... shows how much I really know 
about security/pentesting.
Feel free to add any strings you think might _not_ be caught, or test cases you think might be useful and try again. 
Lord knows 0.1 is only a first blush at something.

Anyway, this was released in the hopes that someone might derive some benefit from it, besides myself. I had to release 
it openly if I ever wanted to use it on a side
project so I figured I might as well let people know about it while I did it.

-Aaron



________________________________
From: yersinia <yersinia.spiros () gmail com>
To: Aaron <apconole () yahoo com>
Cc: dailydave () lists immunitysec com
Sent: Tuesday, March 10, 2009 4:40:48 AM
Subject: Re: [Dailydave] sfuzz released


On Mon, Mar 9, 2009 at 4:43 PM, Aaron <apconole () yahoo com> wrote:

Hello security people,
  In the course of doing some work at my current place of employment, it has become necessary for us to do some SQA / 
blackbox testing, and while my first reach may have been SPIKE, alas our SQA folks don't have the 
time/patience/whatever to be able to build solid cases with it. So, doing what any good doobie does, I wrote a fuzzer 
that should be able to allow testing of commandline options, network processes, etc, called simple fuzzer. It can be 
found at http://aconole.brad-x.com/programs/sfuzz.html . It's reminiscent of easyfuzz from priest (whatever happened to 
those guys?). Hopefully, someone can find some use for it as a first-line fuzzer to be used in conjunction with SPIKE 
and other fuzzers.

As more and more user begin to use WAF as mod_security and the like (in negative and positive model) fuzzer as sfuzz 
began to be useless. For example, the core rule of mod_security dropped all the attempt of
sfuzz. Just for putting an other eye on the matter. 

Best Regards 



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave