Projects tagged ‘fuzzer’ and ‘java’

Fuzzing of WebServices. Features: gui, input definition(per parameter), test case generatiion, filter of results, ...

JavaFuzz is a java classes fuzzer based on the the Java Reflection API. The reflection API represents, or reflects, the classes, interfaces, and objects in the current Java Virtual Machine. Using the ... [More] reflection API it can contruct and invoke any given class (or list of classes). After getting the types that a class accepts will construct the class using expected and/or inappropriate values. If the option -m is issued then all the methods will be invoked as well. Have look in the Examples article. Note : Check the subversion repository for the latest version, Downloads get the latest packaged version, not the latest available version. Latest version : 0.7.5 [Less]

Concept: In this age of the excessive INTERNET-dependency, the Web browser is the most basic common unit of the Internet experience for much of the global community. Also, it is the one which is the ... [More] most attacked from external agencies. Thus, it is critical to test the Browser's ability to be secure enough. Thus, to audit the security mechanisms in place within conventional Web Browsers, we plan to use a fuzzer codenamed 'FireFuzzer'. A fuzzer (also known as 'Fault Injectors') is a typically a tool that attempts to discover security vulnerabilities by injecting random input into the WEB application. If the program contains a vulnerability that can lead to an exception, crash or server error (in the case of web apps), it can be determined that a vulnerability has been discovered. Conventional Fuzzers are good at finding buffer overflow, DoS, SQL Injection, XSS, and Format String bugs. Firefuzzer is expected to perform black-box scans over the web pages. It will target the web page URL which is passed as an argument via command line and will mark the textboxes within the HTML forms to inject unacceptable data. Then, FireFuzzer will inject random textual data and submit the forms to see whether Exceptions are generated. Intended vulnerabilities expected to be targeted include: Buffer Overflow Database Injection (SQL Injections) File Handling Errors (fopen, readfile…) XSS (Cross Site Scripting) Injection Cross-site Scripting is commonly used to cause the execution of scripting code (controlled by the attacker) in order to steal information from the victim (e.g. current logged in session information) or cause the installation of Trojan horse software that can be later used to take full control of the victims host. SQL Injection is the process of injecting SQL language code within data requests that result in an application’s back-end database server either surrendering confidential data, or cause the execution of malicious scripting content on the database that results in a host compromise. Description: Firefuzzer is a penetration testing tool. The aim of the fuzzer is to discover unknown vulnerabilities in web applications. As per the requirement of the Project Proposal, the FireFuzzer application would be executed from the Command Prompt. It has two major modules: 1)Buffer Overflow 2)Cross Site Scripting (XSS) In the case of Buffer Overflow module, Firefuzzer creates random, possibly invalid text String and inserts into html input textboxes. All the Forms present on the given page are then submitted one after the other and appropriate look-up is performed for the status code response. Warnings are given for specific HTTP Codes. For a normal web page which loads properly without any error, HTTP Status Code 200 is sent as a response which means OK. HTTP Status Code 500 series of errors indicate exceptions caused at the Server End. In the case of Cross-Site Scripting module, Firefuzzer will also target SQL injections where SQL commands are injected into the Login form component. Attacker can also effectively insert code and modify SQL command. These commands are then passed to Server end. Again, Look-ups are performed for the status code response and appropriate warnings are issued. Execution Steps: Save the "inject.conf" file in the same folder as "Firefuzzer.jar" file. At command prompt, type "java -jar Firefuzzerr.jar {url} {buffer/sql} {detail(Optional)}" and the Program Execution will begin appropriately. Example: java -jar Firefuzzer.jar www.abcdefgh.com buffer => Buffer Overflow attack-summary java -jar Firefuzzer.jar www.abcdefgh.com buffer detail => Buffer Overflow attack-detailed java -jar Firefuzzer.jar www.abcdefgh.com sql => SQL Injection attack-summary java -jar Firefuzzer.jar www.abcdefgh.com sql detail => SQL Injection attack-detailed Team Members: 1)Gaurav Pandey (gip2103@columbia.edu) 2)Sumeet Jindal (sj2405@columbia.edu) Mentor: Prof. Herbert Thompson University: Columbia University (Software Security-Spring 2009) [Less]