Re: Looking for a fuzzer/source code analyzer on customer developed code

From: Zed Qyves (zqyves.spamtrap@gmail.com)
Date: Tue Mar 18 2008 - 07:14:41 EST

• Next message: 11ack3r: "Session Hijacking over HTTP"
• Previous message: Radu Oprisan: "Re: anonymous Zonetransfer (AXFR) exploatation"
• In reply to: sudhakar@CS.Princeton.EDU: "Looking for a fuzzer/source code analyzer on customer developed code"
• Next in thread: Joxean Koret: "RE: Looking for a fuzzer/source code analyzer on customer developed code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Sudhakar,
Regarding webservices I have used WSDigger from Foundstone(http://www.foundstone.com/us/resources/proddesc/wsdigger.htm) but Ihave also heard success stories with wsfuzzer(http://www.neurofuzz.com/modules/software/wsfuzzer.php) as well.
regarding fuzzing I would go with sulley for intelligent fuzzing suchas session retention, session control, callbacks and the such. Otherfuzzers I had success with are jbrofuzz from owasp and taof (the artof fuzzing). the latter 2 work really well with text-based protocolsand on simple calls and do not need the initial learning curve thatone will definately need with sulley. for http fuzzing paros scannerwill also take you a good distance.
Lastly for network connection stress testing I would use something assimple as blast from from foundstone.
regards,./ZQ
On Mon, Mar 17, 2008 at 10:57 PM, <sudhakar@cs.princeton.edu> wrote:>>> Hi all,>> I am looking for a good fuzzer, against some custom code developed> internally. I am looking for a tool to stress test application by:>> - open many netork connections to application> - throw random data to applications to get them to crash> - fuzz web services>>> Idea is to add a quality gate for developers before they push code out.>> Does anyone have any ideas on how to approach the problem? Any source code> analyzer out there to do this?>>> Thanks in advance for your ideas.>>> Regards,> --Sudhakar>>>> ------------------------------------------------------------------------> This list is sponsored by: Cenzic>> Need to secure your web apps NOW?> Cenzic finds more, "real" vulnerabilities fast.> Click to try it, buy it or download a solution FREE today!>> http://www.cenzic.com/downloads> ------------------------------------------------------------------------>>

-- ---------------------------------------------------------------------Κρέωνἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ ζητούμενονἁλωτόν, ἐκφεύγειν δὲ τἀμελούμενον.Οιδίπους Τύρρανος [110]---------------------------------------------------------------------CreonIn this our land, so said he, those who seek Shall find; unsought, welose it utterly.Oedipus Rex [110]---------------------------------------------------------------------

• Next message: 11ack3r: "Session Hijacking over HTTP"
• Previous message: Radu Oprisan: "Re: anonymous Zonetransfer (AXFR) exploatation"
• In reply to: sudhakar@CS.Princeton.EDU: "Looking for a fuzzer/source code analyzer on customer developed code"
• Next in thread: Joxean Koret: "RE: Looking for a fuzzer/source code analyzer on customer developed code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:28 EDT