Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Looking for a fuzzer/source code analyzer on customer developed code

from [Zed Qyves] Network Security [Permanent Link]
Subject: Re: Looking for a fuzzer/source code analyzer on customer developed code
Date: Tue, 18 Mar 2008 14:14:41 +0200 
Hello Sudhakar,

Regarding webservices I have used WSDigger from Foundstone
(http://www.foundstone.com/us/resources/proddesc/wsdigger.htm) but I
have also heard success stories with wsfuzzer
(http://www.neurofuzz.com/modules/software/wsfuzzer.php) as well.

regarding fuzzing I would go with sulley for intelligent fuzzing such
as session retention, session control, callbacks and the such. Other
fuzzers I had success with are jbrofuzz from owasp and taof (the art
of fuzzing). the latter 2 work really well with text-based protocols
and on simple calls and do not need the initial learning curve that
one will definately need with sulley. for http fuzzing paros scanner
will also take you a good distance.

Lastly for network connection stress testing I would use something as
simple as blast from from foundstone.

regards,
./ZQ

On Mon, Mar 17, 2008 at 10:57 PM,  <sudhakar@cs.princeton.edu> wrote:



 Hi all,

 I am looking for a good fuzzer, against some custom code developed
 internally. I am looking for a tool to stress test application by:

 - open many netork connections to application
 - throw random data to applications to get them to crash
 - fuzz web services


   Idea is to add a quality gate for developers before they push code out.

 Does anyone have any ideas on how to approach the problem? Any source code
 analyzer out there to do this?


 Thanks in advance for your ideas.


 Regards,
 --Sudhakar



 ------------------------------------------------------------------------
 This list is sponsored by: Cenzic

 Need to secure your web apps NOW?
 Cenzic finds more, "real" vulnerabilities fast.
 Click to try it, buy it or download a solution FREE today!

 http://www.cenzic.com/downloads
 ------------------------------------------------------------------------






-- 
---------------------------------------------------------------------
ÎÏÎÏÎ
áÎ ÏáÎá áÏÎÏÎÎ Îá Ïá Îá ÎÎÏÎÏÎÎÎÎÎ
áÎÏÏÏÎ, áÎÏÎÏÎÎÎÎ Îá ÏáÎÎÎÎÏÎÎÎÎÎ.
ÎÎÎÎÏÎÏÏ ÎÏÏÏÎÎÎÏ [110]
---------------------------------------------------------------------
Creon
In this our land, so said he, those who seek Shall find; unsought, we
lose it utterly.
Oedipus Rex [110]
---------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: anonymous Zonetransfer (AXFR) exploatation, Radu Oprisan
Next by Date:  Session Hijacking over HTTP, 11ack3r
Previous by Thread:  Re: Looking for a fuzzer/source code analyzer on customer developed code, Marco Crotta
Next by Thread:  RE: Looking for a fuzzer/source code analyzer on customer developed code, Joxean Koret
Indexes:  [Date] [Thread] [Top] [All Lists]