Tuesday, 27 April 2010
FuzzDB – Pentest using comprehensive attack patterns
Do you like this story?
Too much new software is vulnerable to the attack sequences of yesteryear. This suggests a testing approach: a comprehensive set of known attack pattern sequences can be leveraged for use in targeted fuzzing when testing for exploitable conditions in new applications.Fuzzdb is a comprehensive set of known attack pattern sequences, predictable locations, and error messages for intelligent brute force testing and exploit condition identification of web applications.
Many mechanisms of attack used to exploit different web server platforms and applications are triggered by particular meta-characters that are observed in more than one product security advisory. fuzzdb is a database attack patterns known to have caused exploit conditions in the past, categorized by attack type, platform, and application.
Because of the popularity of a small number of server types, platforms, and package formats, resources such as logfiles and administrative directories are typically located in a small number of predictable locations. A comprehensive database of these, sorted by platform type, makes brute force fuzz testing a scalpel-like approach.
Since system errors contain predictable strings, fuzzdb contains lists of error messages to be pattern matched against server output in order to aid detection software security defects.
Primary sources used for attack pattern research:
- researching old web exploits for repeatable attack strings
- scraping scanner patterns from http logs
- various books, articles, blog posts, mailing list threads
- patterns gleaned from other open source fuzzers and pentest tools
- analysis of default app installs
- system and application documentation
- error messages
It’s like a non-automated open source scanner without the scanner. You can download fuzzdb v1.06 here:
Check out via svn: svn checkout
http://fuzzdb.googlecode.com/svn/trunk/ fuzzdb-read-only
Also..to keep FuzzDB updated,type
svn update
to pull the latest updates.
Like This post ? You can buy me a Beer :)
Posted by XERO. ALL RIGHTS RESERVED.
This post was written by: Rishabh Dangwal
Rishabh Dangwal is a no-nonsense network geek who likes to play retro games and emulators in free time. Follow him on Twitter
0 Responses to “FuzzDB – Pentest using comprehensive attack patterns”
Post a Comment