Hacker News new | past | comments | ask | show | jobs | submit login

FuzzDB is a great project that has the potential to improve many existing tools. In the same way Adam suggested in this post, my team uses FuzzDB lists integrated with other tools (Burp Suite, Dirbuster, etc.) in order to use the functionality of those tools with the robust lists that FuzzDB provides.

For those that may not understand how this works: FuzzDB has many lists for many different security checks. A "fuzzer" would dynamically generate these things by basically putting random data into input fields in an attempt to find edge cases (with a security impact) that may not be handled correctly. Instead of generating that data randomly and on-the-fly, FuzzDB uses the most common "win" scenarios for a lot of different tests.

For example, the file Sharepoint.fuzz.txt[1] can easily be fed into any web application assessment tool to find default Sharepoint files. Since FuzzDB is updated more frequently than some older tools (say, nikto), it makes sense to replace old default lists with FuzzDB.

I'm glad that Mozilla is letting Adam publicize the project through their blog; it's a well-known resource in the security industry, but people just learning to conduct assessments of web applications may not know about it.

1: https://code.google.com/p/fuzzdb/source/browse/trunk/Discove...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: