Hacker News new | ask | show | jobs
by dguido 3357 days ago
Very short answer: For web testing, you should run Burp Suite in headless mode. Lots of people use Carbonator to do this:

https://portswigger.net/bappstore/showbappdetails.aspx?uuid=...

Burp Suite is planning on adding native support for continuous integration... integration in the second half of 2017.

If you're reading between the lines: there are _very few_ security testing tools that are built well. So you're asking the wrong question. You don't need a huge list. There are only a small handful of fuzzers or analysis tools I would recommend at all, and Burp is it for web testing.

Most projects out there are hobby projects from people trying to learn something new and ignoring what has already been done. They don't serve a very useful purpose other than as a learning or teaching tool.

We used tried and true basics for our CRS: Radamsa, KLEE, our own open-source binary lifter, and a Python symbolic execution framework built around Z3. Nothing new, or hip, or magic.
2 comments
_pdp_ 3357 days ago
Burp suite does not do a good job at fuzzing APIs - not biased but true. APIs require more structured fuzzers that expose application level problems - not like burp's fuzzers which are working on raw HTTP requests which was useful sometime ago when you had to find bugs in the actual server implementation. This is not relevant in the web application security space anymore apart from the fields of research which is exactly what most web shops not interested to do. You can still use Burp for that but the user needs to do all the heavy lifting by hand. How does Burp do recursive XML or JSON fuzzing? It doesn't. You can write a plugin for that but that defeats the purpose of using an off the shelf tool.
link
dguido 3357 days ago
Yep, it's maybe a little more complicated than I let on. We went through the same process you described on a recent engagement and here was the outcome:

https://github.com/trailofbits/protofuzz

link
bullsandabears 3357 days ago
Big thanks for this reply. I was looking to cut through all the noise you mentioned. I'm finding all I was looking for in the Radamsa readme for starting and next steps. Use cases expressed in unix pipes > clear_as_day.txt. Fuzzing newb at this point but I'll be using your original and other linked presentations for context while working through basics.
link