Re: WebScarab Fuzzer

[Rogan Dawes <discard () dawes za net>]

Jason Murray wrote:
> Is there a better tutorial on how to use the WebScarab Fuzzer than this:
> http://dawes.za.net/rogan/webscarab/docs/fuzzer.html
>
> It does a good high level overview but leaves out key pieces of 
> information like how the Fuzz Source is specified. I tried using a 
> simple text file but that didn't work.
>
> Also how do you know if it is even working? I click Start and am told 
> that it started, but how do I know when it finishes? And where would any 
> results be?
>
> I'm on a project where this feature will be of great use to me. I am 
> just a bit green with the tool.
>
> Thanks in advance.

Depending on which version you are using, the fuzz source IS specified 
by a simple text file (one item per line) or a simplified regular 
expression (only in more recent versions - not sure if I have made an 
official release containing this functionality - I've been having 
trouble logging in to sourceforge to actually make a release).

The idea is that you have one piece of fuzz text per line, then when you 
create the fuzz source in WebScarab, you should see each item reflected 
in the list, along with a count showing how many items there are.

When you define the parameters to fuzz, you should see a couple of boxes 
in the bottom left corner of your screen, showing "Total Requests" and 
"Current Request". When you hit start, you should see "Current Request" 
incrementing until it reaches "Total Requests" - 1, at which point it is 
finished. All of the responses are dumped into the Summary, so you can 
review them there, however, in more recent versions, there is a 
fuzzer-specific summary shown in the Fuzzer window, showing the results 
from the last fuzzer run. This is cleared each time you reset the fuzzer 
(e.g. by changing parameters, etc)

You can get the latest version from my website at 
<http://dawes.za.net/rogan/webscarab/webscarab-installer-20060512-1132.jar>

I'll update my website at some stage to include the above explanation.

Hope this has helped.

Regards,

Rogan

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------