FuzzDB - Comprehensive Set Of Known Attack Sequences

FuzzDB - Comprehensive Set Of Known Attack Sequences

FuzzDB is a comprehensive open dictionary of fault injection patterns, predictable resource locations, and regex for matching server responses. It was created to increase the likelihood of causing and identifying conditions of security interest through dynamic application security testing.

Attack Patterns - FuzzDB contains comprehensive lists of attack payload primitives for fault injection testing. These patterns, categorized by the attack and where appropriate platform type, are known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, XSS, HTTP header CRLF injections, SQL injection, NoSQL injection, and more. For example, FuzzDB catalogs 56 patterns that can potentially be interpreted as a null byte and contains lists of commonly used methods such as "get, put, test," and name-value pairs than trigger debug modes.

Discovery - The popularity of standard software packaging distribution formats and installers resulted in resources like log files and administrative directories frequently being located in a small number of predictable locations. FuzzDB contains a comprehensive dictionary, sorted by platform type, language, and application, making brute force testing less brutish.

Response Analysis - Many interesting server responses are predictable strings. FuzzDB contains a set of regex pattern dictionaries to match against server responses. In addition to common server error messages, FuzzDB contains regex for credit cards, social security numbers, and more.

Other useful stuff - Webshells in different languages, common password and username lists, and some handy wordlists.

Documentation - Many directories contain a README.md file with usage notes. A collection of documentation from around the web that is helpful for using FuzzDB to construct test cases is also included. 

Note: Some antivirus/antimalware software will alert on FuzzDB. To resolve, the file path should be whitelisted. There is nothing in FuzzDB that can harm your computer as-is, however, due to the risk of the local file include attacks it's not recommended to store this repository on a server or other important system.

No comments

Powered by Blogger.