My favorite 10 Web Application Security Fuzzing Tools

A Security Fuzzer is a tool designed to provide random data (fuzzing testing) to an application’s parameters. In the context of web application testing, fuzzing means testing especially for buffer overflow, parameter format check, various encoding and error handling.

The results of a fuzzing test reveal application vulnerabilities which range from juicy stuff such as  improper user supplied data sanitizing, failed boundary checks up to apparently harmless disclosure of application environment details such as OS version, Application Server version, database details and even private IP disclosure.

Web Application Fuzzing is performed mostly trough GET and POST requests, but you can use any method which is supported by the server (HEAD, TRACE, CONNECT, etc)

My favorite 10 web application fuzzing tools in fuzzy order :)

1. SPIKE Proxy
It is a professional-grade tool for looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it’s completely open Python infrastructure allows advanced users to customize it for web applications that other tools fall apart on. SPIKE Proxy is available for Linux and Windows.

2. WebScarab
WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
Parameter fuzzer plugin performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.

3. Burp Intruder
Burp intruder is a highly configurable java web application security tool and can be used to automate a wide range of attacks against applications, including testing for common web application  vulnerabilities such as SQL injection, cross-site scripting, buffer overflows and directory traversal; brute force attacks against authentication schemes; enumeration; parameter manipulation; trawling for hidden content and functionality; session token sequencing and session hijacking; data mining; concurrency attacks; and application-layer denial-of-service attacks.

4. Wapiti
Wapiti allows you to audit the security of your web applications.It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.


5. RFuzz The Web Destroyer
RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked evil RandomGenerator allowing the average programmer to use advanced fuzzing techniques for just pennies a day.

6. OWASP WSFuzzer
WSFuzzer is a GPL’d program, written in Python, that currently targets Web Services. In the current version HTTP based SOAP services are the main target. This tool was created based on, and to automate, some real-world manual SOAP pen testing work.

7. SPI Fuzzer (member of SPI Dynamics WebInspect suite)
It identifies buffer overflows using HTTP fuzzing or modification of input variables.Trial version available for download.

8. Suru Web Proxy
Suru gives the analyst the ability to fuzz ANY part of the HTTP request. This obviously includes GET and POST parameters, but can also be extended to Host: fields, Content-length: etc. The analyst can choose to fuzz any point of the HTTP request header or body. These "Fuzz control points" can be fuzzed with any value – and Suru includes some sample fuzz strings by default.

9. AppScan
AppScan scans and tests for all common web application vulnerabilities – including those identified in the WASC threat classification – such as SQL-Injection, Cross-Site Scripting and Buffer Overflow.

10. ASP Auditor
The purpose of this tool is to look for common misconfiguration and information leaks in ASP.NET applications.

What are your favorite Web App testing tools ?



Thank you for reading this post. You can now Read Comments (11) or Leave A Trackback. Print This Post Print This Post

11 Responses to “My favorite 10 Web Application Security Fuzzing Tools


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge