FuzzDB
259 views
Skip to first unread message
Ailton Caetano
Sep 10, 2015, 1:19:30 PM9/10/15
to zaproxy-develop
Guys/Girls,
now that Google Code has closed its doors on us, i thought that FuzzDB would be lost forever (come on, a 2011 database?), but it looks like the project got a little revamp (in the project authors own words) after the migration, as you may see here - https://github.com/adamdecaf/fuzzdb/commits/master.
There hasn't been any package releases yet, but the master branch is being updated. What do you say about packaging a day-before-ZAP-release version of the database in the next ZAP release?
Yeah, i can fix it myself by cloning the repo on my machine in the appropriate ZAP folder, but what about the others?
Kind Regards,
Ailton Caetano
Adam Muntner
Sep 10, 2015, 7:27:00 PM9/10/15
to zaproxy...@googlegroups.com
Ailton,
I can't think of any good reasons to continue to maintain packaged
versions. The repo is easy to clone in whole or part, the packages go
stale fast, and the instructions always directed people to preferably
use the repo, anyway.
If there's anything I can do, structure or format wise, etc, please
let me know. And submissions / changes are always welcome!
I can't think of any good reasons to continue to maintain packaged
versions. The repo is easy to clone in whole or part, the packages go
stale fast, and the instructions always directed people to preferably
use the repo, anyway.
If there's anything I can do, structure or format wise, etc, please
let me know. And submissions / changes are always welcome!
psiinon
Sep 11, 2015, 4:21:16 AM9/11/15
to OWASP ZAP Developer Group
Adam,
I'm going to have to disagree with you on that :)
I think its a bit like me saying - "ZAP is easy to download and install, why should distributions like Kali include it?"
According to the stats on https://api.github.com/repos/zaproxy/zap-extensions/releases FuzzDb is one of the most downloaded ZAP add-ons :)
Why do people download it from there?
I dont really know, but I suspect that convenience and the fact its integrated with ZAP make a big difference.
Do you provide instructions on how to use fuzzdb within ZAP? I couldnt see any, and we dont provide any clear documentation either.
You're also probably looking at this from a pentesters point of view, and assuming everyone will have heard of fuzzdb.
A significant proportion of ZAP users will be developers and QA, as well as people just getting started in security.
They may well not know about fuzzdb.
You might prefer people to use your repo, but I think that if you dont accept that people will want to consume your project in different ways then you'll be doing some of your users a disservice.
Ailton - I'm at fault for not keeping up with the fuzzdb releases, as I originally put together the addon.
I'd be delighted for someone to update it to the latest code, and even more if someone would keep maintaining it :)
So please, go for it - pull requests much appreciated!
BTW, looks like Adam M's official repo is https://github.com/fuzzdb-project/fuzzdb not sure how https://github.com/adamdecaf/fuzzdb differs from it.
Cheers,
Simon
I'm going to have to disagree with you on that :)
I think its a bit like me saying - "ZAP is easy to download and install, why should distributions like Kali include it?"
According to the stats on https://api.github.com/repos/zaproxy/zap-extensions/releases FuzzDb is one of the most downloaded ZAP add-ons :)
Why do people download it from there?
I dont really know, but I suspect that convenience and the fact its integrated with ZAP make a big difference.
Do you provide instructions on how to use fuzzdb within ZAP? I couldnt see any, and we dont provide any clear documentation either.
You're also probably looking at this from a pentesters point of view, and assuming everyone will have heard of fuzzdb.
A significant proportion of ZAP users will be developers and QA, as well as people just getting started in security.
They may well not know about fuzzdb.
You might prefer people to use your repo, but I think that if you dont accept that people will want to consume your project in different ways then you'll be doing some of your users a disservice.
Ailton - I'm at fault for not keeping up with the fuzzdb releases, as I originally put together the addon.
I'd be delighted for someone to update it to the latest code, and even more if someone would keep maintaining it :)
So please, go for it - pull requests much appreciated!
BTW, looks like Adam M's official repo is https://github.com/fuzzdb-project/fuzzdb not sure how https://github.com/adamdecaf/fuzzdb differs from it.
Cheers,
Simon
Adam Muntner
Sep 11, 2015, 8:41:13 AM9/11/15
to zaproxy...@googlegroups.com
Simon,
You're right, I think there was an a misunderstanding though - I meant
the fuzzdb zip file that was prev available on Google Code, not the
files that are part of zap.
Github has the 'download as zip' feature so I wasn't planning on
making a separate file.
I'm looking at
https://github.com/zaproxy/zap-extensions/tree/master/src/org/zaproxy/zap/extension/fuzzdb
and have a couple questions about how it works now:
The comments say that "Updated fuzzdb to use standard file structure"
but not sure what you mean by that
Also see some extraneous files in there, etc. Let me see what I can
do. A script to generate an xml file that will include only the
fuzzfiles, while the extension package itself contains the whole thing
including browsable docs, would be a good start.
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to zaproxy-devel...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
You're right, I think there was an a misunderstanding though - I meant
the fuzzdb zip file that was prev available on Google Code, not the
files that are part of zap.
Github has the 'download as zip' feature so I wasn't planning on
making a separate file.
I'm looking at
https://github.com/zaproxy/zap-extensions/tree/master/src/org/zaproxy/zap/extension/fuzzdb
and have a couple questions about how it works now:
The comments say that "Updated fuzzdb to use standard file structure"
but not sure what you mean by that
Also see some extraneous files in there, etc. Let me see what I can
do. A script to generate an xml file that will include only the
fuzzfiles, while the extension package itself contains the whole thing
including browsable docs, would be a good start.
> You received this message because you are subscribed to the Google Groups
> "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to zaproxy-devel...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
psiinon
Sep 11, 2015, 9:03:28 AM9/11/15
to OWASP ZAP Developer Group
Ah, my misunderstanding then :)
The "standard file structure" referred to the files in ZAP - I changed the add-on so that files would be installed under a "fuzzers/fuzzdb-1.09 directory as per https://github.com/zaproxy/zap-extensions/commit/9809196cc9e672341cbf1b0d5ce920f03aaff186
This means they will be automatically available to the fuzzer, and wont clash with other fuzzing libraries.
If you're moving away from numbered releases then that could just become "fuzzers/fuzzdb"
All of the files need to be specified in https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/fuzzdb/ZapAddOn.xml
I wrote a simple class which will generate the relevant parts of that file: https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/fuzzdb/FuzzdbFiles.java - I'm sure that could be improved:)
ZAP add-ons should ideally provide help in Java help format - we've got a load of infrastructure than means they can then be merged into the ZAP help file.
If you point me at the docs I could look at converting them to the right format, which would be really useful.
My ultimate aim is to be able to update add-ons like fuzzdb and the wappallizer one automatically via the build route, but that will require a load of changes ;)
Cheers,
Simon
The "standard file structure" referred to the files in ZAP - I changed the add-on so that files would be installed under a "fuzzers/fuzzdb-1.09 directory as per https://github.com/zaproxy/zap-extensions/commit/9809196cc9e672341cbf1b0d5ce920f03aaff186
This means they will be automatically available to the fuzzer, and wont clash with other fuzzing libraries.
If you're moving away from numbered releases then that could just become "fuzzers/fuzzdb"
All of the files need to be specified in https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/fuzzdb/ZapAddOn.xml
I wrote a simple class which will generate the relevant parts of that file: https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/fuzzdb/FuzzdbFiles.java - I'm sure that could be improved:)
ZAP add-ons should ideally provide help in Java help format - we've got a load of infrastructure than means they can then be merged into the ZAP help file.
If you point me at the docs I could look at converting them to the right format, which would be really useful.
My ultimate aim is to be able to update add-ons like fuzzdb and the wappallizer one automatically via the build route, but that will require a load of changes ;)
Cheers,
Simon
> email to zaproxy-develop+unsubscribe@googlegroups.com.
Adam Muntner
Sep 11, 2015, 9:28:15 AM9/11/15
to zaproxy...@googlegroups.com
Docs:
Some cheatsheet type stuff
https://github.com/fuzzdb-project/fuzzdb/tree/master/docs/misc
Some other folders have /docs child folders such as
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack-payloads/os-cmd-execution/docs
I think there are more
Many fuzz files start with
# Comment about source or usage notes for the file
which is due to its heritage as something I originally created for
myself to use with burp where I could load the file, read the notes in
the 1st line of the payloads, and then delete the first line prior to
using. This is obviously not a metaphor that works for zap or many
other tools and probably should change.
Was brainstorming on ways to change that - what do you think about an
optional .help file that is otherwise named the same as the .txt file?
Then some kind of inline help viewer as you mentioned could consume
it. The rest of the docs are a mix of things like html and pdf that
are saved from other places that I collected while pentesting,
cheatsheets for exfiltrating data, etc. and might not be so easy to
work with, without using default system external file viewers.
>> > email to zaproxy-devel...@googlegroups.com.
Some cheatsheet type stuff
https://github.com/fuzzdb-project/fuzzdb/tree/master/docs/misc
Some other folders have /docs child folders such as
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack-payloads/os-cmd-execution/docs
I think there are more
Many fuzz files start with
# Comment about source or usage notes for the file
which is due to its heritage as something I originally created for
myself to use with burp where I could load the file, read the notes in
the 1st line of the payloads, and then delete the first line prior to
using. This is obviously not a metaphor that works for zap or many
other tools and probably should change.
Was brainstorming on ways to change that - what do you think about an
optional .help file that is otherwise named the same as the .txt file?
Then some kind of inline help viewer as you mentioned could consume
it. The rest of the docs are a mix of things like html and pdf that
are saved from other places that I collected while pentesting,
cheatsheets for exfiltrating data, etc. and might not be so easy to
work with, without using default system external file viewers.
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to zaproxy-devel...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups
> "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
Ailton Caetano
Sep 11, 2015, 10:14:07 AM9/11/15
to zaproxy-develop
I'm glad my thought started a discussion that enriches both communities.
One thing that i found in that "https://github.com/adamdecaf/fuzzdb" repo that "https://github.com/fuzzdb-project/fuzzdb" misses are some json fuzzing strings (search results: https://github.com/fuzzdb-project/fuzzdb/search?p=1&q=json&utf8=%E2%9C%93).
Maybe we could arrange a merging of it to Muntner's FuzzDB?
[]'s Ailton
Adam Muntner
Sep 11, 2015, 11:19:37 AM9/11/15
to zaproxy...@googlegroups.com
I see this one file:
https://github.com/adamdecaf/fuzzdb/blob/master/resources/json_fuzz.txt
but I'm not sure how useful it would be in practice? Different lines
are different contexts, some being wrapped with {} others being arrays
[], and others looking like they are supposed to be field name values,
some quoted, some unquoted, and each of those containing potentially
malicious input, but the input itself presuming some kind of json
format or injection point.
I reached out to the repo owner
https://github.com/adamdecaf/fuzzdb/blob/master/resources/json_fuzz.txt
but I'm not sure how useful it would be in practice? Different lines
are different contexts, some being wrapped with {} others being arrays
[], and others looking like they are supposed to be field name values,
some quoted, some unquoted, and each of those containing potentially
malicious input, but the input itself presuming some kind of json
format or injection point.
I reached out to the repo owner
Adam Muntner
Sep 12, 2015, 11:03:22 AM9/12/15
to zaproxy...@googlegroups.com
Just updated the plugin, there's a pull request
Reply all
Reply to author
Forward
0 new messages