In my personal experience with web app testing, I have found that web fuzzers are not nearly as useful as fuzzers used for applications, and more specifically I have found numerous bugs doing direct API fuzzing. In the case of testing web applications I find that using something like SpiDynamics tool is great for a first pass as a black box test, but to really get an idea of how bad the vulnerability is, the extent, etc. manual testing is an absolute must. I know that most people on this list don't necessarily believe in fuzzing as a good security test, and I can hear Gary groaning already, but I think that fuzzing tools are becoming more and more intelligent, and you are soon going to see some extremely powerful tools in this arena. Check out the paper on genetic algorithms and fuzzing from BlackHat as well as the tool from Jared DeMott at Applied Security. As for Metasploit, its a very sweet tool, as well as a very useful framework for learning and developing exploits, particularly the tricky IE+ActiveX heap nastiness that requires a little kung fu and a lot of coffee. JS
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Van Wyk Sent: Tuesday, February 27, 2007 12:06 AM To: Secure Coding Subject: [SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz- Security News Analysis Here's an interesting article from Dark Reading about web fuzzers. Web fuzzing seems to be gaining some traction these days as a popular means of testing web apps and web services. http://www.darkreading.com/document.asp?doc_id=118162 <http://www.darkreading.com/document.asp?doc_id=118162&f_src=darkreading_sec tion_296> &f_src=darkreading_section_296 Any good/bad experiences and opinions to be shared here on SC-L regarding fuzzing as a means of testing web apps/services? I have to say I'm unconvinced, but agree that they should be one part--and a small one at that--of a robust testing regimen. Cheers, Ken P.S. I'm over in Belgium right now for SecAppDev (http://www.secappdev.org). HD Moore wowed the class here with a demo of Metasploit 3.0. For those of you that haven't looked at this (soon to be released, but available in beta now) tool, you really should check it out. Although it's geared at the IT Security pen testing audience, I do believe that it has broader applicability as a framework for constructing one-off exploits against applications. ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
