A Security Fuzzer is a tool designed to provide random data (fuzzing testing) to an application’s parameters. In the context of web application testing, fuzzing means testing especially for buffer overflow, parameter format check, various encoding and error handling.
The results of a fuzzing test reveal application vulnerabilities which range from juicy stuff such as improper user supplied data sanitizing, failed boundary checks up to apparently harmless disclosure of application environment details such as OS version, Application Server version, database details and even private IP disclosure.
Web Application Fuzzing is performed mostly trough GET and POST requests, but you can use any method which is supported by the server (HEAD, TRACE, CONNECT, etc)
My favorite 10 web application fuzzing tools in fuzzy order 🙂
1. SPIKE Proxy
It is a professional-grade tool for looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it’s completely open Python infrastructure allows advanced users to customize it for web applications that other tools fall apart on. SPIKE Proxy is available for Linux and Windows.
WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
Parameter fuzzer plugin performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.
3. Burp Intruder
Burp intruder is a highly configurable java web application security tool and can be used to automate a wide range of attacks against applications, including testing for common web application vulnerabilities such as SQL injection, cross-site scripting, buffer overflows and directory traversal; brute force attacks against authentication schemes; enumeration; parameter manipulation; trawling for hidden content and functionality; session token sequencing and session hijacking; data mining; concurrency attacks; and application-layer denial-of-service attacks.
Wapiti allows you to audit the security of your web applications.It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
5. RFuzz The Web Destroyer
RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked evil RandomGenerator allowing the average programmer to use advanced fuzzing techniques for just pennies a day.
6. OWASP WSFuzzer
WSFuzzer is a GPL’d program, written in Python, that currently targets Web Services. In the current version HTTP based SOAP services are the main target. This tool was created based on, and to automate, some real-world manual SOAP pen testing work.
7. SPI Fuzzer (member of SPI Dynamics WebInspect suite)
It identifies buffer overflows using HTTP fuzzing or modification of input variables.Trial version available for download.
8. Suru Web Proxy
Suru gives the analyst the ability to fuzz ANY part of the HTTP request. This obviously includes GET and POST parameters, but can also be extended to Host: fields, Content-length: etc. The analyst can choose to fuzz any point of the HTTP request header or body. These "Fuzz control points" can be fuzzed with any value – and Suru includes some sample fuzz strings by default.
AppScan scans and tests for all common web application vulnerabilities – including those identified in the WASC threat classification – such as SQL-Injection, Cross-Site Scripting and Buffer Overflow.
10. ASP Auditor
The purpose of this tool is to look for common misconfiguration and information leaks in ASP.NET applications.
What are your favorite Web App testing tools ?
Thank you for reading this post. You can now Read Comments (11) or Leave A Trackback. Print This Post
Post InfoThis entry was posted on Saturday, May 12th, 2007 . Tagged with:
Previous Post: Sharebot stops P2P information leaks »
Next Post: How about US Census Bureau as bruteforce dictionary ? »
Read MoreRelated Reading:
- How to Protect Your Business Network from Phishing Attacks
- Animated Presentation on Sony PSN Hack
- ArcSight Tip #1 – arcsight managersetup notification test
- I’m a CISSP
- Operation:Payback or Social Vendetta is Here
- I got owned by Malware Destructor 2011 Virus
- New Downtime Cost Calculator by Storagepipe.com. What if ?
- Securing Your Network from Web Threats
- My Twitter Notes on 2010-07-25
- New NetWitness Visualize : Welcome To The Future!