The information has been provided by CIRT Tools.
To keep updated with the tool visit the project's homepage at: http://www.cirt.dk/tools/fuzzer/fuzzer.txt
"Fuzzing" is an automated software testing technique that generates and submits random or sequential data to various areas of an application in an attempt to uncover security vulnerabilities.
For example, when searching for buffer overflows, a tester can simply generate data of various sizes and send it to one of the application entry points to observe how the application handles it.
Usage example (string overflow):
fuzz.pl -host 192.168.1.2 -port 80 -type string -load template.txt
Making the template:
Make a file where you can put any request into, and the place you want to Fuzz insert the tag <FUZZER>, if you need to count size of data you eg. like in a POST request of a HTTP server, use the tags <COUNT>data<COUNT> and <SIZE>, it could be done as follows:
POST /cgi-sys/FormMail.cgi HTTP/1.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041128 Firefox/1.0 (Debian package 1.0-4)
<COUNT>recipient=test%40127.0.0.1&subject=Fuzzing&Name=test &email=test%40localhost& request=test<FUZZER>&redirect=/<COUNT>
You can also use hex values like \x41 or 0x41 values in the template if the protocol is binary.
comments powered by Disqus. blog comments powered by