Hacker News new | ask | show | jobs
by bullsandabears 3357 days ago
Does anyone know of a list of categorized and recommended fuzzers for different purposes, or just more specifically for smart fuzzing web API's and how to get started with it? Search results for this kind of stuff are hard to parse cause they're either dated or the use cases are very specific one-offs.

I realize answering my questions with the given broadly-defined tools may be the required manual expertise they refer to in the presentation. But I'm just looking for a foothold somewhere at the least.
2 comments
dguido 3357 days ago
Very short answer: For web testing, you should run Burp Suite in headless mode. Lots of people use Carbonator to do this:

https://portswigger.net/bappstore/showbappdetails.aspx?uuid=...

Burp Suite is planning on adding native support for continuous integration... integration in the second half of 2017.

If you're reading between the lines: there are _very few_ security testing tools that are built well. So you're asking the wrong question. You don't need a huge list. There are only a small handful of fuzzers or analysis tools I would recommend at all, and Burp is it for web testing.

Most projects out there are hobby projects from people trying to learn something new and ignoring what has already been done. They don't serve a very useful purpose other than as a learning or teaching tool.

We used tried and true basics for our CRS: Radamsa, KLEE, our own open-source binary lifter, and a Python symbolic execution framework built around Z3. Nothing new, or hip, or magic.

link
_pdp_ 3357 days ago
Burp suite does not do a good job at fuzzing APIs - not biased but true. APIs require more structured fuzzers that expose application level problems - not like burp's fuzzers which are working on raw HTTP requests which was useful sometime ago when you had to find bugs in the actual server implementation. This is not relevant in the web application security space anymore apart from the fields of research which is exactly what most web shops not interested to do. You can still use Burp for that but the user needs to do all the heavy lifting by hand. How does Burp do recursive XML or JSON fuzzing? It doesn't. You can write a plugin for that but that defeats the purpose of using an off the shelf tool.
link
dguido 3357 days ago
Yep, it's maybe a little more complicated than I let on. We went through the same process you described on a recent engagement and here was the outcome:

https://github.com/trailofbits/protofuzz

link
bullsandabears 3357 days ago
Big thanks for this reply. I was looking to cut through all the noise you mentioned. I'm finding all I was looking for in the Radamsa readme for starting and next steps. Use cases expressed in unix pipes > clear_as_day.txt. Fuzzing newb at this point but I'll be using your original and other linked presentations for context while working through basics.
link
_pdp_ 3357 days ago
There are some commercial efforts but not much in the open source space which in my opinion is a bug problem because APIs should be fuzzed properly - especially when written with dynamic scripting languages.
link
bullsandabears 3357 days ago
Thanks for clarifying this and your info on Burp's capabilities above. What are some of the commercial options you just mentioned? I'm dealing with a large app not written with C but does have API endpoints over http. For a start on some black-box fuzzing, I'm thinking I could use Radamsa's client/server capabilities.
link