Mirrors/fuzzdb
2
0
Fork 0
mirror of https://github.com/fuzzdb-project/fuzzdb.git synced 2024-09-20 06:01:57 +00:00
Code Issues Projects Releases Packages Wiki Activity

add antivirus warning

Browse source
This commit is contained in:
Adam Muntner 2016-09-20 20:02:28 -04:00 committed by GitHub
parent 664e12b813
commit 64a2a707bc
1 changed files with 16 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
README.md
View file

@ -1,5 +1,7 @@
FuzzDB is the most comprehensive dictionary of attack patterns and payload primitives, predictable resource patterns, variants, and more for application security testing and research. FuzzDB is the most comprehensive dictionary of attack patterns and payload primitives, predictable resource patterns, variants, and more for application security testing and research.
Downloading this repository is likely to cause a false-positive alarm by your antivirus or antimalware software, the filepath should be whitelisted. There is nothing in FuzzDB that can harm your computer, as-is.
Official FuzzDB project page: [https://github.com/fuzzdb-project/fuzzdb/](https://github.com/fuzzdb-project/fuzzdb/) Official FuzzDB project page: [https://github.com/fuzzdb-project/fuzzdb/](https://github.com/fuzzdb-project/fuzzdb/)
@ -7,25 +9,24 @@ Official FuzzDB project page: [https://github.com/fuzzdb-project/fuzzdb/](https:
**Attack Patterns -** **Attack Patterns -**
Malicious and malformed strings known to cause information leakage and exploitation, categorized by attack type. Malicious and malformed strings known to cause information leakage and exploitation, categorized by attack type.
FuzzDB contains comprehensive lists of [attack payload](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack-payloads) primitives and variants known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, XSS, http header crlf injections, SQL injection, NoSQL injection, and more. For example, FuzzDB catalogs 56 variants of byte patterns that can be interpreted as a null byte under different conditions. FuzzDB contains comprehensive lists of [attack payload](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack) primitives and variants known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, XSS, http header crlf injections, SQL injection, NoSQL injection, and more. For example, FuzzDB catalogs 56 variants of byte patterns that can be interpreted as a null byte under different conditions.<br>
(https://github.com/fuzzdb-project/fuzzdb/tree/master/attack) https://github.com/fuzzdb-project/fuzzdb/tree/master/attack
**Discovery -** **Discovery -**
Because of the popularity of a small number of server types, platforms, and package formats, resources such as [logfiles and administrative directories](http://www.owasp.org/index.php/Forced_browsing) are typically located in a small number of [predictable locations](http://projects.webappsec.org/Predictable-Resource-Location). Because of the popularity of a small number of server types, platforms, and package formats, resources such as [logfiles and administrative directories](http://www.owasp.org/index.php/Forced_browsing) are typically located in a small number of [predictable locations](https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery/predictable-filepaths).
FuzzDB contains a comprehensive database of these, sorted by platform type, language, and application, making brute force testing less brutish. FuzzDB contains a comprehensive database of these, sorted by platform type, language, and application, making brute force testing less brutish.<br>
(https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery/predictable-filepaths) https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery
**Response Analysis -** **Response Analysis -**
Since system responses also contain predictable strings, FuzzDB contains a set of regex pattern dictionaries to match against server responses such as interesting error messages to aid detection software security defects, lists of common Session ID cookie names, regular expressions for credit cards, social security numbers, and more. Since system responses also contain predictable strings, FuzzDB contains a set of regex pattern dictionaries to match against server responses such as interesting error messages to aid detection software security defects, lists of common Session ID cookie names, regular expressions for credit cards, social security numbers, and more.<br>
(https://github.com/fuzzdb-project/fuzzdb/wiki/regexerrors) https://github.com/fuzzdb-project/fuzzdb/tree/master/regex
**Other useful stuff -** **Other useful stuff -**
Webshells, common password and username lists, and some handy wordlists. Webshells, common password and username lists, and some handy wordlists.
(https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors) etc etc etc
**Documentation -** **Documentation -**
Helpful documentation and cheatsheets sourced from around the web that are relevant to the payload categories are also provided. Many directories contain a README.md file with usage notes. Helpful documentation and cheatsheets sourced from around the web that are relevant to the payload categories are also provided. Many directories contain a README.md file with usage notes.<br>
(https://github.com/fuzzdb-project/fuzzdb/tree/master/docs) https://github.com/fuzzdb-project/fuzzdb/tree/master/docs
It's like an open source application security scanner, without the scanner. It's like an open source application security scanner, without the scanner.
@ -43,7 +44,7 @@ Released under the dual New BSD and Creative Commons by Attribution licenses, Fu
# How was the data collected? # # How was the data collected? #
Lots of hours of research while performing penetration tests: Lots of hours of research while performing penetration tests and research:
* analysis of default app installs * analysis of default app installs
* analysis of system and application documentation * analysis of system and application documentation
* analysis of error messages * analysis of error messages
@ -55,11 +56,11 @@ Lots of hours of research while performing penetration tests:
and the input of contributors: https://github.com/fuzzdb-project/fuzzdb/graphs/contributors and the input of contributors: https://github.com/fuzzdb-project/fuzzdb/graphs/contributors
# How to Use fuzzdb # # How to Use FuzzDB #
The most common use case is with HTTP proxy and fuzzing tools such as The most common use case is with HTTP proxy and fuzzing tools such as
* OWASP Zap proxy, for which FuzzDB is available as a plugin. (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project). * OWASP Zap proxy: FuzzDB is available as a plugin. (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project).
* With Burp Proxy's [intruder](http://portswigger.net/intruder/) module. The regex/errors.txt file can be loaded to [pattern match the server responses](https://github.com/fuzzdb-project/fuzzdb/wiki/regexerrors). * With Burp Proxy's [intruder](http://portswigger.net/intruder/) module: The regex/errors.txt file can be loaded to [pattern match the server responses](https://github.com/fuzzdb-project/fuzzdb/wiki/regexerrors).
Other ways fuzzdb is often used: Other ways fuzzdb is often used:
* to test web services * to test web services
@ -94,4 +95,4 @@ While in the FuzzDB dir, you can update your local repo with the command
``` ```
git pull git pull
``` ```
You can also browse the [FuzzDB github sources](https://github.com/fuzzdb-project/fuzzdb/tree/master) and there is always a [zip file](https://github.com/fuzzdb-project/fuzzdb/archive/master.zip) You can also browse the [FuzzDB github sources](https://github.com/fuzzdb-project/fuzzdb/) and there is always a [zip file](https://github.com/fuzzdb-project/fuzzdb/archive/master.zip)