Mirrors/fuzzdb
2
0
Fork 0
mirror of https://github.com/fuzzdb-project/fuzzdb.git synced 2024-09-20 06:01:57 +00:00
Code Issues Projects Releases Packages Wiki Activity

Migrating wiki contents from Google Code

Browse source
This commit is contained in:
Google Code Exporter 2015-09-10 13:57:03 -04:00
commit 0ce5709205
8 changed files with 257 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
FileUpload.md Normal file
View file

@ -0,0 +1,10 @@
#file upload category docs
# Files #
* [file-ul-filter-bypass-commonly-writable-directories.txt](CommonlyWritableDirs.md)
* [file-ul-filter-bypass-ms-php file-ul-filter-bypass-ms-php.txt]
* [file-ul-filter-bypass-x-platform-php.txt]
* [file-ul-filter-bypass-microsoft-asp.txt]
* [file-ul-filter-bypass-x-platform-generic.txt]
* [file-ul-filter-bypass.readme]

13
OsCmdInj.md Normal file
View file

@ -0,0 +1,13 @@
#OS Command Execution category
# Introduction #
Add your content here.
# Details #
Add your content here. Format your content with:
* Text in **bold** or _italic_
* Headings, paragraphs, and lists
* Automatic links to other wiki pages

107
ProjectHome.md Normal file
View file

@ -0,0 +1,107 @@
NEWS: MOVING TO GITHUB, STAY TUNED FOR FURTHER ANNOUNCEMENTS.
fuzzdb is the most comprehensive Open Source database of malicious inputs, predictable resource names, greppable strings for server response messages, and other resources like web shells.
# Download #
**Preferred method is to check out sources via svn, since new payloads are added frequently**
```
svn checkout http://fuzzdb.googlecode.com/svn/trunk/ fuzzdb-read-only
```
While in the fuzzdb dir, you can update your local repo with the command
```
svn update
```
You can also browse the [fuzzdb svn repo sources](http://code.google.com/p/fuzzdb/source/browse/#svn/trunk).
# What's in fuzzdb? #
**Predictable Resource Locations -**
Because of the popularity of a small number of server types, platforms, and package formats, resources such as [logfiles and administrative directories](http://www.owasp.org/index.php/Forced_browsing) are typically located in a small number of [predictable locations](http://projects.webappsec.org/Predictable-Resource-Location).
FuzzDB contains a comprehensive database of these, sorted by platform type, language, and application, making brute force testing less brutish.
**Attack Patterns -**
Categorized by platform, language, and attack type, malicious and malformed inputs known to cause information leakage and exploitation have been collected into sets of test cases.
FuzzDB contains comprehensive lists of [attack payloads](http://code.google.com/p/fuzzdb/source/browse/#svn/trunk/attack-payloads) known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, http header crlf injections, and more.
**Response Analysis -**
Since system responses also contain predictable strings, fuzzdb contains a [set of regex pattern dictionaries](http://code.google.com/p/fuzzdb/wiki/regexerrors) such as interesting error messages to aid detection software security defects, lists of common Session ID cookie names, and more.
**Other useful stuff -**
Webshells, common password and username lists, and some handy wordlists.
**Documentation -**
Helpful documentation and cheatsheets sourced from around the web that are relevant to the payload categories are also provided.
# Why was fuzzdb created? #
The sets of payloads currently built in to open source fuzzing and scanning software are poorly representative of the total body of potential attack patterns. Commercial scanners are a bit better, but not much. However, commercial tools also have a downside, in that that they tend to lock these patterns away in obfuscated binaries.
Furthermore, it's impossible for a human pentester to encounter and memorize all permutations of the meta characters and hex encoding likely to cause error conditions to arise.
FuzzDB was created to aggregate all known attack payloads and common predictable resource names into usable fuzzer payload lists, categorized by function and platform, and make them freely available under an Open Source license. It is immediately usable by web application penetration testers and security researchers.
Released under the dual New BSD and Creative Commons by Attribution licenses, FuzzDB can be leveraged to improve the test cases built into open source and commercial testing software.
# How was the data collected? #
Lots of hours of research while performing penetration tests:
* analysis of default app installs
* analysis of system and application documentation
* analysis of error messages
* researching old web exploits for repeatable attack strings
* scraping scanner patterns from http logs
* various books, articles, blog posts, mailing list threads
* patterns gleaned from other open source fuzzers and pentest tools
FuzzDB is like an open source web application security scanner, without the scanner.
# How to Use fuzzdb #
* The most immediate, hands-on way is to use they payload files for web security testing with Burp Proxy's [intruder](http://portswigger.net/intruder/) module. The regex/errors.txt file can be loaded to [pattern match the server responses](http://code.google.com/p/fuzzdb/wiki/regexerrors).
* Use the patterns to test web services.
* Use the patterns as malicious input payloads for testing non-HTTP network aware application with custom fuzzing tools.
* Use the patterns as malicious input payloads for testing GUI or command line software with standard test automation tools.
* Incorporate the patterns into Open Source software, or into your own commercial product.
* Use the patterns in training materials and documentation.
# Latest news #
```
*Post-1.08, new in 1.09:*
* Thanks to lawKnee, new features added to the cfm web shell, and a nifty sql web shell
* The data dir from the tool raft, containing paths extracted from the "disallow" fields from the robots.txt files of 1.7 million websites, presented at BlackHat 2011 (https://raft.googlecode.com/)
* Added new attack payload file os-cmd-execution/OSCommandInject.Windows.fuzz.txt and a case to the unix version of the file that breaks out of regex with a $
* Many more platforms added to discovery, check the svn logs, too many to list here
* /attack-payloads/BizLogic/CommonMethods.fuzz.txt - thanks to Tim Brown and darkraver
* /generic/interesting-files-siteminder.txt - CA Siteminder discovery
* /generic/proxy-conf.txt - Various popular locations for proxy.pac files
* Updated sqli attacks using new filename convention to make it simpler to navigate fuzzdb and include it in other projects, other directories will follow. Thanks to Nathan Hamiel and Marcin Wielgoszewski for prompting me to create the new namespace format. Fixed a few misplaced SQLI test cases thanks to Michael Brooks careful eye.
*Previous updates*
* fuzzdb-1.08.tgz added: command exec cheatsheets for unix and windows, netcat cheatsheet, microsoft sharepoint test cases, file upload filter bypass test cases, invalid microsoft filenames, javascript events, html tags, null byte test cases, updated _readme.txt
* fuzzdb-1.07.tgz Lots more sqli.Discovery patterns of common files containing passwds and common login filenames. (4/28/2010)
* Added more sqli attack and enumeration patterns, reorganized sqli tree, in svn not in tarball yet (4/22/2010)
* Added more web shells (4/20/2010)
* FreeBSD !FreshPorts now carries fuzzdb [http://www.mail-archive.com/cvs-all@freebsd.org/msg166332.html] (4/19/2010)
* Latest version: scrubbed spaces from file and path names for better shell navigation, rearranged files using a functional approach, added the /regex dir containing things you might want to look for on returned pages. Initial checkin contains a large set of error messages and list of common session ID cooke names.(4/17/2010)
```
# Who #
This SVN repository and the files were assembled by Adam Muntner (unix23 @ gmail.com)
The FuzzDB license is New BSD and Creative Commons by Attribution. I want this project to be freely available in order to make the patterns contained within obsolete. If you use this project in your work, research, or commercial product, you are required to cite it. That's it.
fuzzdb (c) Copyright Adam Muntner, 2010-2015
Portions copyrighted by others, see the package and svn checkin comments for details.

22
discovery.md Normal file
View file

@ -0,0 +1,22 @@
#docs for discovery category files
# Files #
* [file upload](FileUpload.md)
* [format strings](FormatStrings.md)
* [http protocol](HttpProtocol.md)
* [IntegerOverflow](IntegerOverflow.md) integer overflow]
* ldap
* misc - payloads
* misc - wordlists
* os directory indexing
* path traversal
* rfi
* server side includes
* source disclosure
* xml
* xpath
* xss
* os command execution
* sql injection
* usernames and passwords

43
othertools.md Normal file
View file

@ -0,0 +1,43 @@
**encoding**
napkin http://www.0x90.org/releases/napkin/
**sqli**
bsql-bf2 http://code.google.com/p/bsqlbf-v2/
web raider http://www.mavitunasecurity.com/blog/webraider/
sqlsus for mysql http://sqlsus.sourceforge.net/index.html
sfx-sqli for ms-sql http://www.kachakil.com/papers/SFX-SQLi-en.htm
sqlbrute - ms-sql and oracle - http://www.justinclarke.com/archives/2006/03/sqlbrute.html
**proxy**
burp suite http://portswigger.net/
cat http://www.contextis.co.uk/resources/tools/cat/
webscarab http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download]
**fuzzer**
owasp Zap https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
burp intruder http://portswigger.net/
jbrofuzz http://sourceforge.net/projects/jbrofuzz/
webscarab http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download
pywebfuzz, a python implementation of fuzzdb, and much more http://code.google.com/p/pywebfuzz/
**other brute force tools**
CMS Explorer (the file patterns are in fuzzdb, but cms-explorer does more than that) http://code.google.com/p/cms-explorer/

17
regexerrors.md Normal file
View file

@ -0,0 +1,17 @@
**in Burp Suite**
Open Burp Suite, go to the Intruder tab, and the Options sub-tab
Look for the section "grep"
Click "clear" to clear the existing listings in the list box
Click "load" and load `regex/errors.txt` from your fuzzdb path, as below
This will search all output pages generated by Intruder payloads for the extensive list of known error strings, for later analysis.
View the contents of `regex/errors.txt`: http://code.google.com/p/fuzzdb/source/browse/trunk/regex/errors.txt
Burp Suite free edition available from: http://portswigger.net/suite/download.html
<img src='http://fuzzdb.googlecode.com/files/burp-intruder-regex-errors.jpg'>

13
thoughts.md Normal file
View file

@ -0,0 +1,13 @@
# Some thoughts behind fuzzdb #
fuzzdb exploits a commonality between many security flaws: predictability. It aims to maximize the population of vulnerabilities found via fuzz testing by aggregating the body of known web application attack strings into a collection of predictable resource names and known malformed data strings. Known server error messages have been aggregated to aid in analysis of test results.
Software standardization means that predictable resource locations are the norm. Platforms like IIS, Cold Fusion, and Apache Tomcat store files that are known to leak information about system configuration in predictable places. Because of the popularity of a small number of package managers, log, configuration, and password files for popular software platforms are likely to be stored in a small number of places. Lists of platform-categorized web scripts that have been mentioned in a vulnerability database, lists of login page names from popular applications, all known compressed file type extensions, and countless other data elements on can be leveraged to turn "brute force" into a highly targeted discovery tool.
While there are mature fuzzing lists available for XSS and SQL Injection, other exploit categories lack such lists. By attempting to document all known permutations of characters that cause a specific exploit condition, fuzzdb creates a set of repeatable test cases for detecting vulnerabilities in new software. The payloads include platform-specific and generic test case patterns for detecting OS command execution, SQL Injection, XSS, CRLF header injection, filetype upload bypass, XML, LFI, RFI, traversals, file and directory contents exposure, and others.
The population of common web application platform types is very small. The error messages that indicate something interesting (from the attacker's perspective) has happened are a known quantity. They have been turned into simple pattern match strings and catalogued in fuzzdb.
# Use Case Example #
Imagine using fuzzdb to find an OS command injection vulnerability. After detecting which data elements are vulnerable, other fuzz payload lists are utilized: The first tries to get a recognizable response to show whether results are returned to the page, or identify that whether the command injection is blind. Another can identify writable directories by the web server, and another will contain things such as series of shell commands designed to test what kinds of egress filtering is in place, by trying to establish connections to a system owned by the tester which is running tcpdump.

32
usagehints.md Normal file
View file

@ -0,0 +1,32 @@
# How-to's and external docs #
**Burp Intruder**
* Security Ninja tutorial for Burp Intruder - http://www.securityninja.co.uk/burp-suite-tutorial-intruder-tool-version-2
* Security Ninja Burp Suite Repeater and Comparer tutorial - http://www.securityninja.co.uk/burp-suite-tutorial-repeater-and-comparer-tools
* How to use fuzzdb's regex/errors.txt in burpsuite intruder to find more bugs http://code.google.com/p/fuzzdb/wiki/regexerrors
* Burp Intruder docs http://portswigger.net/intruder/help.html
* Burp Suite with Google Android Emulator http://cktricky.blogspot.com/2010/04/android-emulator-burpsuite.html
**Web Scarab**
* Script that writes the page to the filesystem http://pentesterconfessions.blogspot.com/2007/12/webscarab-scripting-and-fuzzing.html
* Webscarab Fuzzer docs http://dawes.za.net/rogan/webscarab/docs/fuzzer.html
**File and Directory Discovery**
* Interesting new way to identify directories that exist http://soroush.secproject.com/blog/2010/05/new-method-role-of-the-%E2%80%9C%E2%80%9D-character-in-mapping-the-website-directories/
# Other tools that are useful with fuzzdb #
[Other software useful with fuzzdb](http://code.google.com/p/fuzzdb/wiki/othertools) on their own wiki page
# Other Stuff #
I also maintain a collection of Firefox plugins useful to web app security testers, you can subscribe to the list using the Add-On Collector plugin to make setting up a new browser for testing easy - https://addons.mozilla.org/en-US/firefox/collection/webappsec