Difference between revisions of "Fuzzer"

From SkullSecurity
Jump to navigation Jump to search
(New page: This is a page for a "fuzzer" I'm considering writing. It doesn't have a name yet. ==Features== * Proxy functionality (HTTP, socks) * Different protocols automatically recognized (ie, ra...)
 
 
(One intermediate revision by the same user not shown)
Line 6: Line 6:
** Manipulation of protocol-specific headers (ie, adding/removing headers)
** Manipulation of protocol-specific headers (ie, adding/removing headers)
** Abusing the protocol itself (fields and user data)
** Abusing the protocol itself (fields and user data)
** Knowledge of the protocol (ie, able to update the length field, crc field, etc.)
** Knowledge of the protocol (ie, able to update the length field, crc field, etc., store cookies, sessions)
** Overflows
** Overflows
** Format strings
** Format strings
** Injections (sql, html, shell, email, path)
** Injections (sql, html, shell, email, path)
** Remote file inclusion, viewstate parsing, other language-specific things
* Data encodings
* Data encodings
** Including invalid ones (broken UTF8)
** Including invalid ones (broken UTF8)
Line 16: Line 17:
* Spidering
* Spidering
** Scraping URLs from Javascript?
** Scraping URLs from Javascript?
** Forced browsing
* Queued tests
* Queued tests
* Encode/decode payloads (standard, customized)
* Encode/decode payloads (standard, customized)
Line 29: Line 31:
* Different plugins for different tasks (spiderer, fuzzer, reporting, etc)
* Different plugins for different tasks (spiderer, fuzzer, reporting, etc)
** Each can send to the rest (right-click on one or more packets, "send to X")
** Each can send to the rest (right-click on one or more packets, "send to X")
* Able to attack both clients and servers (may not be useful on browsers, but could be on other clients (ActiveX, applets, thin clients))

Latest revision as of 18:43, 23 June 2008

This is a page for a "fuzzer" I'm considering writing. It doesn't have a name yet.

Features

  • Proxy functionality (HTTP, socks)
  • Different protocols automatically recognized (ie, raw, http, irc, rpc, etc.)
    • Manipulation of protocol-specific headers (ie, adding/removing headers)
    • Abusing the protocol itself (fields and user data)
    • Knowledge of the protocol (ie, able to update the length field, crc field, etc., store cookies, sessions)
    • Overflows
    • Format strings
    • Injections (sql, html, shell, email, path)
    • Remote file inclusion, viewstate parsing, other language-specific things
  • Data encodings
    • Including invalid ones (broken UTF8)
  • Validation
    • Common mistakes: phone number, postal code, etc.
  • Spidering
    • Scraping URLs from Javascript?
    • Forced browsing
  • Queued tests
  • Encode/decode payloads (standard, customized)
  • Multi-page testing (as in, hits certain pages in a certain sequence)
    • State detection (logged in, not logged in -- user-led or automatic ("these pages are logged in, these aren't, what do they have in common?"))
  • User-submitted tests (solving CAPTCHAs when necessary)
  • Diff engine
    • Automatically detect which fields change (has to happen after decoding is done)
  • Page rendering (HTML)
  • Save all tests
    • Save .html/whatever files?
    • Save everything to a DB, attach a Web app to view results?
  • Different plugins for different tasks (spiderer, fuzzer, reporting, etc)
    • Each can send to the rest (right-click on one or more packets, "send to X")
  • Able to attack both clients and servers (may not be useful on browsers, but could be on other clients (ActiveX, applets, thin clients))