f_kenisky@earthlink.net wrote:
sorry about the first one my fingers got ahead of the brain.
Ok I've read through the FUZZER thingly page. Not 100% clear but
I've copied the text and made a few corrections.
As far as the fuzzer is concerned I want to use the RegEx and put in
some stuff on one of the identified fields.
When I put in a few RegEx characters and add the description and then
click add I get the following dialog box; Error; Invalid regular
expression! No wildcards permitted near index 0 ?-6*0-?^
Here are a few examples of regular expressions that you can use:
[a-z]{3}
does:
aaa
aab
aac
...
aaz
aba
abb
abc
...
azy
azz
baa
...
etc
How about:
[0-9a-f]{6}-[0-9A-F]{2}
6 hex digits, using lowercase a-f, followed by a hyphen, followed by 2
hex digits, using uppercase A-F.
Or:
[a-f][0-9a-f]{5}
6 hex digits, starting with
a00000
going to
ffffff
WARNING: Don't go overboard wit your regular expressions. The internal
engine will allow you to use an expression that will create up to 4
billion possibilities. However, currently, WebScarab reads every single
item, and places it into the list that you see when you are loading the
files. You'll run out of memory VERY quickly.
Besides, it makes no sense whatsoever to try to brute force something of
that scale . . . . .
Not really sure what I'm trying to get with this cool regular
expression but it really doesn't matter since the fuzz won't take it.
Maybe the examples above will help you out.
After playing with the fuzzer I found an area (HTML) with a date
field. MM dd YY. Three separate fields. I set up three separate
.txt files with MM dd & YY. The .txt file for the month included all
12 months (as numeric values) and I also included a "-" and "*" just
to see if the app would take that information.
Now I may be trying to do something that the Fuzzer wasn't intended
to do so my apologies.
In esseence the month.txt file had 36 separate variables. i.e.(01,
02, 03...-01, -02, -03...*01,*02,*03etc)
Seems entirely reasonable. Probably unnecessary to try all 12 months
with - and *, since if it doesn't accept the first one, it is unlikely
to accept it for the 12th, but it's up to you, obviously. ;-)
The html page I'm referring to had an begining and ending date so I
included both in the fuzz test and used the month.txt file for each
during the same test.
With a year.txt file containing 50+ years the fuzzer only fuzzed 36
(the number of months).
Ok. What you probably want to do is make the priority columns different,
so that they increment independently.
If the priorities are all the same, you'll get: (Assuming your year
starts with 1950)
1950 01 01 (Y M D)
1951 02 02
1953 03 03
etc
If you make the priorities different, e.g. 1 for year, 2 for Month, 3
for days, you'll get
1950 01 01
1950 01 02
1950 01 03
...
1950 12 31
1951 01 01
..
1951 12 31
1952 01 01
etc
1950 12 31
Hope I'm clear here as I got a feeling I'm confusing more people.
Hope I've managed to explain it sufficiently. If you do understand,
maybe you could update the OWASP page? Let me know if my explanation has
simply confused you more, and I'll try again. ;-)
Thanks
Regards,
Rogan
-------------------------------------------------------------------------
Sponsored by: Watchfire
Securing a web application goes far beyond testing the application using
manual processes, or by using automated systems and tools. Watchfire's
"Web Application Security: Automated Scanning or Manual Penetration
Testing?" whitepaper examines a few vulnerability detection methods -
specifically comparing and contrasting manual penetration testing with
automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
