fuzzdb aggregates known attack patterns, predictable resource names,
server response messages, and other resources like web shells into the
most comprehensive Open Source database of malicious and malformed input
test cases.
What's in fuzzdb?
Predictable Resource Locations - Because of the popularity of a small number of server types, platforms, and package formats, resources such as logfiles and administrative directories are typically located in a small number of predictable locations.
FuzzDB contains a comprehensive database of these, sorted by platform
type, language, and application, making brute force testing less
brutish.
Attack Patterns - Categorized by
platform, language, and attack type, malicious and malformed inputs
known to cause information leakage and exploitation have been collected
into sets of test cases. FuzzDB contains comprehensive lists of attack payloads
known to cause issues like OS command injection, directory listings,
directory traversals, source exposure, file upload bypass,
authentication bypass, http header crlf injections, and more.
Response Analysis - Since system responses also contain predictable strings, fuzzdb contains a set of regex pattern dictionaries
such as interesting error messages to aid detection software security
defects, lists of common Session ID cookie names, and more.
Other useful stuff - Webshells, common password and username lists, and some handy wordlists.
Documentation -
Helpful documentation and cheatsheets sourced from around the web that
are relevant to the payload categories are also provided.
Why was fuzzdb created?
The
sets of payloads currently built in to open source fuzzing and scanning
software are poorly representative of the total body of potential
attack patterns. Commercial scanners are a bit better, but not much.
However, commercial tools also have a downside, in that that they tend
to lock these patterns away in obfuscated binaries.
Furthermore,
it's impossible for a human pentester to encounter and memorize all
permutations of the meta characters and hex encoding likely to cause
error conditions to arise.
FuzzDB was created to aggregate all
known attack payloads and common predictable resource names into usable
fuzzer payload lists, categorized by function and platform, and make
them freely available under an Open Source license. It is immediately
usable by web application penetration testers and security researchers.
Released under the dual New BSD and Creative Commons by
Attribution licenses, FuzzDB can be leveraged to improve the test cases
built into open source and commercial testing software.
How was the data collected?
Lots of hours of research while performing penetration tests:
- analysis of default app installs
- analysis of system and application documentation
- analysis of error messages
- researching old web exploits for repeatable attack strings
- scraping scanner patterns from http logs
- various books, articles, blog posts, mailing list threads
- patterns gleaned from other open source fuzzers and pentest tools
FuzzDB is like an open source web application security scanner, without the scanner.
How to Use fuzzdb
- The most immediate, hands-on way is to use they payload files for web security testing with Burp Proxy's intruder module. The regex/errors.txt file can be loaded to pattern match the server responses.
- Use the patterns to test web services.
- Use the patterns as malicious input payloads for testing non-HTTP network aware application with custom fuzzing tools.
- Use the patterns as malicious input payloads for testing GUI or command line software with standard test automation tools.
- Incorporate the patterns into Open Source software, or into your own commercial product.
- Use the patterns in training materials and documentation.