Fuzzdb takes a different approach:
-
Marrying the excellent Skipfish wordlist with collections of extensions
(every known compressed file extension, common file extensions, a ton of
backup file extensions, etc) and prefixes (variations of copy_of_ etc) for
targeted or super-bruteforce fuzzing
http://code.google.com/p/fuzzdb/source/browse/#svn%2Ftrunk%2FDiscovery%2FFilenameBruteforce
-
Lists of predictable resources, sorted by server type (IIS, tomcat,
glassfish, etc), common apps (sharepoint, sap, cms and themes, etc), and
lots of other stuff.
http://code.google.com/p/fuzzdb/source/browse/#svn%2Ftrunk%2FDiscovery%2FPredictableRes
Any HTTP 4xx status code other than 404 warrants investigation, as does any
5xx code.
Ultimately, if you're testing, find something interesting, and dont have a
good fuzzfile for it, you should be doing some research and making your own
fuzzfiles. This can take the form of downloading oss software or commercial
evaluation versions, or lacking that, mining tech support websites and docs
for paths, or google dorking. Examples: Not long ago, I found the admin
interface for a commercial product deployed on a client's box with no
easily obtainable eval, thanks to a screenshot in their documentation, which
was available. Some of the predictable resource lists in fuzzdb were created
by google forming +"index of /" etc.
Be creative, it will pay off...
-a
On May 6, 2011 12:42 PM, "Andre Gironda" andreg@gmail.com wrote:
On Fri, May 6, 2011 at 2:02 AM, Brtnik, Vojtech (NL - Amstelveen)
VBrtnik@deloitte.nl wrote:
- what do you get out of using multiple tools? It occurs to me that
running DirBuster (for insta...
I like all of those tools and their concepts. It is tricky trying to
get the results from them without running them in parallel or
serially. I instead suggest to somehow combine their capabilities,
perhaps by writing your own tool that incorporates all of their
capabilities and concepts.
- What do you exactly mean by "run the list through a
single-pane-of-glass tool like Burp"? What...
Burp provides me simplicity and ease of use, as well as familiarity. I
was thinking of importing the list as an Intruder payload set and
configuring a fuzzing position on a single insertion point, such as
the final "/" in http://www.site.com/
-Andre
The Web Security Mailing List
WebSecurity RSS Feed...
Fuzzdb takes a different approach:
1. Marrying the excellent Skipfish wordlist with collections of extensions
(every known compressed file extension, common file extensions, a ton of
backup file extensions, etc) and prefixes (variations of copy_of_ etc) for
targeted or super-bruteforce fuzzing
http://code.google.com/p/fuzzdb/source/browse/#svn%2Ftrunk%2FDiscovery%2FFilenameBruteforce
2. Lists of predictable resources, sorted by server type (IIS, tomcat,
glassfish, etc), common apps (sharepoint, sap, cms and themes, etc), and
lots of other stuff.
http://code.google.com/p/fuzzdb/source/browse/#svn%2Ftrunk%2FDiscovery%2FPredictableRes
Any HTTP 4xx status code other than 404 warrants investigation, as does any
5xx code.
Ultimately, if you're testing, find something interesting, and dont have a
good fuzzfile for it, you should be doing some research and making your own
fuzzfiles. This can take the form of downloading oss software or commercial
evaluation versions, or lacking that, mining tech support websites and docs
for paths, or google dorking. Examples: Not long ago, I found the admin
interface for a commercial product deployed on a client's box with no
easily obtainable eval, thanks to a screenshot in their documentation, which
was available. Some of the predictable resource lists in fuzzdb were created
by google forming +"index of /" etc.
Be creative, it will pay off...
-a
On May 6, 2011 12:42 PM, "Andre Gironda" <andreg@gmail.com> wrote:
On Fri, May 6, 2011 at 2:02 AM, Brtnik, Vojtech (NL - Amstelveen)
<VBrtnik@deloitte.nl> wrote:
> thi...
Here is similar work, with explanations, done by Mavituna Security:
http://www.mavitunasecurity.com/blog/svn-digger-better-lists-for-forced-browsing/
> 1) what do you get out of using multiple tools? It occurs to me that
running DirBuster (for insta...
I like all of those tools and their concepts. It is tricky trying to
get the results from them without running them in parallel or
serially. I instead suggest to somehow combine their capabilities,
perhaps by writing your own tool that incorporates all of their
capabilities and concepts.
> 2) What do you exactly mean by "run the list through a
single-pane-of-glass tool like Burp"? What...
Burp provides me simplicity and ease of use, as well as familiarity. I
was thinking of importing the list as an Intruder payload set and
configuring a fuzzing position on a single insertion point, such as
the final "/" in http://www.site.com/
-Andre
_______________________________________________
The Web Security Mailing List
WebSecurity RSS Feed...