mirror of https://github.com/fuzzdb-project/fuzzdb.git synced 2024-11-10 05:24:12 +00:00

Mirror of https://github.com/fuzzdb-project/fuzzdb

Find a file

Adam Muntner a2a79b4236 Update README.md		2017-01-16 11:07:10 -05:00
attack	Added additional likely method names	2017-01-15 23:52:10 -05:00
discovery	Update SAP.txt	2016-09-21 00:19:34 -04:00
docs	from https://github.com/attackercan/	2016-10-17 09:01:36 -04:00
regex	cross-updating with https://github.com/andresriancho/w3af/blob/master/w3af/plugins/grep/user_defined_regex/example_regexes.txt	2016-09-20 23:25:03 -04:00
web-backdoors	Tiny php remote os commanding backdoor	2016-10-16 15:47:43 -04:00
wordlists-misc	Update wordlist-common-snmp-community-strings.txt	2016-09-21 00:39:57 -04:00
wordlists-user-passwd	Refreshed 3/8/16	2016-03-08 00:11:32 -05:00
_copyright.txt	update date	2016-08-14 22:23:33 -04:00
README.md	Update README.md	2017-01-16 11:07:10 -05:00

README.md

FuzzDB helps dynamic application security testing uncover more likely to uncover issues. It's the first and most comprehensive open dictionary of fault injection patterns, predictable resource locations, and regex for analyzing server responses.

Attack Patterns - FuzzDB contains comprehensive lists of attack payload primitives for fault injection testing. These patterns, categorized by attack and where appropriate platform type, are known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, XSS, http header crlf injections, SQL injection, NoSQL injection, and more. For example, FuzzDB catalogs 56 patterns that can potentially be interpreted as a null byte and contains lists of commonly used methods such as "get, put, test," and name-value pairs than trigger debug modes.

Discovery - The popularity of standard software packaging distribution formats and installers resulted in resources like logfiles and administrative directories frequently being located in a small number of predictable locations. FuzzDB contains a comprehensive dictionary, sorted by platform type, language, and application, making brute force testing less brutish.
https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery

Response Analysis - Since interesting system responses often consist of predictable strings, FuzzDB contains a set of regex pattern dictionaries that can be matched against server responses to help find software security defects and monitor server responses for regular expressions for regular expressions including credit cards, social security numbers, and more.

Other useful stuff - Webshells, common password and username lists, and some handy wordlists.

Documentation - A collection of original documentation and cheatsheets and documentation collected from different sources. Additionally, many directories contain a README.md file with usage notes.

Usage Hints

https://github.com/fuzzdb-project/fuzzdb/wiki/usagehints

How different people use FuzzDB

FuzzDB is like an application security scanner, without the scanner. Some ways to use FuzzDB:

Website and application service black-box penetration testing with
OWASP Zap proxy's FuzzDB Zap Extension
Burp Proxy's intruder tool and scanner
PappyProxy, a console-based intercepting proxy
To identify interesting service responses using grep patterns for PII, credit card numbers, error messages, and more
Inside custom tools for testing software and application protocols
Crafting security test cases for GUI or command line software with standard test automation tools
Incorporating into other Open Source software or commercial products
In training materials and documentation
To learn about software exploitation techniques
To improve your security testing product or service

Security tools containing FuzzDB in whole or part

OWASP Zap Proxy fuzzdb plugin https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
SecLists https://github.com/danielmiessler/SecLists
TrustedSec Pentesters Framework https://github.com/trustedsec/ptf
Rapid7 Metasploit https://github.com/rapid7/metasploit-framework
Portswigger Burp Suite http://portswigger.net
Protofuzz https://github.com/trailofbits/protofuzz
BlackArch Linux https://www.blackarch.org/
ArchStrike Linux https://archstrike.org/

How were the patterns collected?

Many, many hours of research and pentesting. Also:

analysis of default app installs
analysis of system and application documentation
analysis of error messages
researching old web exploits for repeatable attack strings
scraping scanner payloads from http logs
various books, articles, blog posts, mailing list threads
other open source fuzzers and pentest tools and the input of contributors: https://github.com/fuzzdb-project/fuzzdb/graphs/contributors

Download

Preferred method is to check out sources via git, new payloads are added frequently

git clone https://github.com/fuzzdb-project/fuzzdb.git

While in the FuzzDB dir, you can update your local repo with the command

git pull

You can also browse the FuzzDB github sources and there is always a zip file

Note: Some antivirus/antimalware software will alert on FuzzDB. To resolve, the filepath should be whitelisted. There is nothing in FuzzDB that can harm your computer as-is, however due to the risk of local file include attacks it's not recommended to store this repository on a server or other important system.

Who

FuzzDB was created by Adam Muntner (amuntner @ gmail.com) FuzzDB (c) Copyright Adam Muntner, 2010-2017 Portions copyrighted by others, as noted in commit comments and README.md files.

The FuzzDB license is New BSD and Creative Commons by Attribution. The ultimate goal of this project is to make the patterns contained within obsolete. If you use this project in your work, research, or commercial product, you are required to cite it. That's it. I always enjoy hearing about how people are using it to find an interesting bug or in a tool, send me an email and let me know.

Submissions are always welcome!

Official FuzzDB project page: https://github.com/fuzzdb-project/fuzzdb/