SlideShare a Scribd company logo

Fuzz DB

n|u - The Open Security Community
n|u - The Open Security Community

null Trivandrum Chapter - August 2013 Meet

EducationTechnology
1 of 17
Download to read offline
Attack and Discovery Pattern Database for Application Fuzz Testing Sajith Shetty
 Definition  Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi- malformed data injection in an automated fashion. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
fuzzdb is an open source database of attack patterns, predictable resource names, regex patterns for identifying interesting server responses, and documentation resources. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
Presentation title
 Predictable Resource Locations –  Sorted by platform type, language, and application, making brute force testing less brutish. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 Attack Patterns –  Categorized by :  Platform, Language, and Attack type  Attack Payloads:  information leakage  OS command injection  directory listings  directory traversals  source exposure  file upload bypass  XSS  SQL injection and more. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 Response Analysis –  predictable strings.  interesting error messages.  lists of common Session ID cookie names, and more.  Other useful stuff –  Webshells.  common password and username lists, and some handy wordlists.  Documentation –  Helpful documentation and cheat-sheets sourced from around the web that are relevant to the payload categories are also provided. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 The sets of payloads currently built in to open source fuzzing and scanning software are poorly representative of the total body of potential attack patterns.  Commercial scanners are a bit better, but not much. However, commercial tools also have a downside, in that that they tend to lock these patterns away in obfuscated binaries.  Furthermore, it's impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 FuzzDB was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an Open Source license. It is immediately usable by web application penetration testers and security researchers. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
Lots of hours of research while performing penetration tests:  analysis of default app installs  analysis of system and application documentation  analysis of error messages  researching old web exploits for repeatable attack strings  scraping scanner patterns from http logs  various books, articles, blog posts, mailing list threads  patterns gleaned from other open source fuzzers and pentest tools FuzzDB is like an open source web application security scanner, without the scanner. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
 Burp Proxy's intruder module  Incorporate the patterns into Open Source software, or into your own commercial product. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
Fuzz DB

Recommended

Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
OpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsOpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsPrabindh Sundareson
 
Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...York University - Osgoode Hall Law School
 
ニコニコ動画でのHTML5
ニコニコ動画でのHTML5ニコニコ動画でのHTML5
ニコニコ動画でのHTML5Sho KUSANO
 
Bailey capítulo-6
Bailey capítulo-6Bailey capítulo-6
Bailey capítulo-6Ricardo DE Oliveira Ribeiro
 
Earth moon statistics
Earth moon statisticsEarth moon statistics
Earth moon statisticsRanjeet Dubey
 

Recommended

Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGMuH4f1Z
 
OpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsOpenGL ES based UI Development on TI Platforms
OpenGL ES based UI Development on TI PlatformsPrabindh Sundareson
 
Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...Transactional learning and simulations: how far can we go in professional leg...
Transactional learning and simulations: how far can we go in professional leg...York University - Osgoode Hall Law School
 
ニコニコ動画でのHTML5
ニコニコ動画でのHTML5ニコニコ動画でのHTML5
ニコニコ動画でのHTML5Sho KUSANO
 
Bailey capítulo-6
Bailey capítulo-6Bailey capítulo-6
Bailey capítulo-6Ricardo DE Oliveira Ribeiro
 
Earth moon statistics
Earth moon statisticsEarth moon statistics
Earth moon statisticsRanjeet Dubey
 
Ghgfgf
GhgfgfGhgfgf
Ghgfgfseries77
 
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxjQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxConstantin Titarenko
 
ePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and HowePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and Howpstadlerctl
 
Thermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C PresentationThermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C Presentationsforman1
 
case study on bride burning
case study on bride burningcase study on bride burning
case study on bride burningPriyansha Gupta
 
Design for Social Sharing Workshop
Design for Social Sharing WorkshopDesign for Social Sharing Workshop
Design for Social Sharing WorkshopRashmi Sinha
 
Top 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesTop 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesporichfergu
 
srthsrth
srthsrthsrthsrth
srthsrthnn2141485
 
Well known magazine name analysis
Well known magazine name analysisWell known magazine name analysis
Well known magazine name analysisshaunWhelan
 
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto
 
Wikihow howtomakespaghetti
Wikihow howtomakespaghettiWikihow howtomakespaghetti
Wikihow howtomakespaghettiopeyemiatilola1992
 
Sainico & Warom - LED Catalog
Sainico & Warom - LED CatalogSainico & Warom - LED Catalog
Sainico & Warom - LED Catalogsainico
 
Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Performics
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuiteNadim Kadiwala
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)JAINAM KAPADIYA
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malwareJoshua Saxe
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesKaashivInfoTech Company
 
Lis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesLis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesAlexisHarvey8
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 

More Related Content

Viewers also liked

ePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and HowePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and Howpstadlerctl
 
Thermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C PresentationThermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C Presentationsforman1
 
case study on bride burning
case study on bride burningcase study on bride burning
case study on bride burningPriyansha Gupta
 
Design for Social Sharing Workshop
Design for Social Sharing WorkshopDesign for Social Sharing Workshop
Design for Social Sharing WorkshopRashmi Sinha
 
Top 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesTop 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesporichfergu
 
Well known magazine name analysis
Well known magazine name analysisWell known magazine name analysis
Well known magazine name analysisshaunWhelan
 
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto
 
Sainico & Warom - LED Catalog
Sainico & Warom - LED CatalogSainico & Warom - LED Catalog
Sainico & Warom - LED Catalogsainico
 
Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Performics
 

Viewers also liked (13)

Ghgfgf
GhgfgfGhgfgf
Ghgfgf
 
jQuery: Events, Animation, Ajax
jQuery: Events, Animation, AjaxjQuery: Events, Animation, Ajax
jQuery: Events, Animation, Ajax
 
ePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and HowePortfolio@LaGuardia Community College:What, Why and How
ePortfolio@LaGuardia Community College:What, Why and How
 
Thermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C PresentationThermal Management And Sd0802 C Presentation
Thermal Management And Sd0802 C Presentation
 
case study on bride burning
case study on bride burningcase study on bride burning
case study on bride burning
 
Design for Social Sharing Workshop
Design for Social Sharing WorkshopDesign for Social Sharing Workshop
Design for Social Sharing Workshop
 
Top 8 chief business development officer resume samples
Top 8 chief business development officer resume samplesTop 8 chief business development officer resume samples
Top 8 chief business development officer resume samples
 
srthsrth
srthsrthsrthsrth
srthsrth
 
Well known magazine name analysis
Well known magazine name analysisWell known magazine name analysis
Well known magazine name analysis
 
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
Rian vebrianto brunai (PEMBANGUNAN MEDIA PENGAJARAN: MODUL DAN MULTIMEDIA DA...
 
Wikihow howtomakespaghetti
Wikihow howtomakespaghettiWikihow howtomakespaghetti
Wikihow howtomakespaghetti
 
Sainico & Warom - LED Catalog
Sainico & Warom - LED CatalogSainico & Warom - LED Catalog
Sainico & Warom - LED Catalog
 
Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014Top Thirty Global Media Owners 2014
Top Thirty Global Media Owners 2014
 

Similar to Fuzz DB

Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malwareJoshua Saxe
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesKaashivInfoTech Company
 
Lis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesLis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesAlexisHarvey8
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingDEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingFelipe Prado
 
The return of an old enemy
The return of an old enemyThe return of an old enemy
The return of an old enemyDonSchado
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal PanchmahalkarPrajwal Panchmahalkar
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackersKirill Ermakov
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Papitha Velumani
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat Security Conference
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?EC-Council
 

Similar to Fuzz DB (20)

Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malware
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security Vulnerabilities
 
Lis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eaglesLis4774.term paper part_a.cyber_eagles
Lis4774.term paper part_a.cyber_eagles
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scanners
 
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingDEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
 
The return of an old enemy
The return of an old enemyThe return of an old enemy
The return of an old enemy
 
Metapwn
MetapwnMetapwn
Metapwn
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
 
Burp documentation
Burp documentationBurp documentation
Burp documentation
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackers
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxannathomasp01
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptxJoelynRubio1
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsNbelano25
 
latest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answerslatest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answersdalebeck957
 

Recently uploaded (20)

How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf arts
 
latest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answerslatest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answers
 

Fuzz DB

  • 1. Attack and Discovery Pattern Database for Application Fuzz Testing Sajith Shetty
  • 2.  Definition  Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi- malformed data injection in an automated fashion. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 3. fuzzdb is an open source database of attack patterns, predictable resource names, regex patterns for identifying interesting server responses, and documentation resources. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 5.  Predictable Resource Locations –  Sorted by platform type, language, and application, making brute force testing less brutish. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 6. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 7.  Attack Patterns –  Categorized by :  Platform, Language, and Attack type  Attack Payloads:  information leakage  OS command injection  directory listings  directory traversals  source exposure  file upload bypass  XSS  SQL injection and more. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 8. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 9.  Response Analysis –  predictable strings.  interesting error messages.  lists of common Session ID cookie names, and more.  Other useful stuff –  Webshells.  common password and username lists, and some handy wordlists.  Documentation –  Helpful documentation and cheat-sheets sourced from around the web that are relevant to the payload categories are also provided. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 10. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 11.  The sets of payloads currently built in to open source fuzzing and scanning software are poorly representative of the total body of potential attack patterns.  Commercial scanners are a bit better, but not much. However, commercial tools also have a downside, in that that they tend to lock these patterns away in obfuscated binaries.  Furthermore, it's impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 12.  FuzzDB was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an Open Source license. It is immediately usable by web application penetration testers and security researchers. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 13. Lots of hours of research while performing penetration tests:  analysis of default app installs  analysis of system and application documentation  analysis of error messages  researching old web exploits for repeatable attack strings  scraping scanner patterns from http logs  various books, articles, blog posts, mailing list threads  patterns gleaned from other open source fuzzers and pentest tools FuzzDB is like an open source web application security scanner, without the scanner. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 14.  Burp Proxy's intruder module  Incorporate the patterns into Open Source software, or into your own commercial product. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 15. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing
  • 16. FuzzBb - Attack and Discovery Pattern Database for Application Fuzz Testing