asielb / fuzzops Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/fuzzops
Automatically exported from code.google.com/p/fuzzops
What steps will reproduce the problem?
1. Run FuzzOps lots of times
Results:
Occasionally you see the output below repeated indefinitely:
http://10.109.43.239:8080/stack-pet-store-ui/pet?petName=�&classificationIds=8
&classificationIds=2&classificationIds=1&classificationIds=7&resultsPerPage=5&or
derBy=name&sortOrder=ASCENDING
Original issue reported on code.google.com by [email protected]
on 7 Oct 2010 at 5:18
Currently users are having a hard time getting everything compiled and set up
properly to start making changes to the code base.
We should start using maven so that dependencies will be easier to manage and
builds will work consistently.
Original issue reported on code.google.com by [email protected]
on 22 Sep 2010 at 10:12
Theoretically it would be possible to overrun the server with Fuzz Requests. In
the event that long term fuzzing is requested, it may be necessary to limit how
many instances should be ran.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:25
It would be valuable to be able to save the fuzz request configurations for
future use and retesting.
This because increasingly valuable as request configuration will increase in
complexity.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:42
As fuzzing complexity is increase, it would be nice to select which types of
fuzzing modules should be used.
ex:
run the dictionary module, but not the basic fuzzing module.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:43
GET requests may not be enumerated correctly in Applications due to methods
used to create test cases. If an application uses POST it will modularize the
request and its parameters. If GET is used, it would not know how to handle
this.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:48
What steps will reproduce the problem?
1. Start WebFuzzNonApplet.jar
2. Look at default Help tab
What is the expected output? What do you see instead?
Should not see any email address with lds reference. Jar file needs to be
rebuilt and updated.
Original issue reported on code.google.com by [email protected]
on 22 Sep 2010 at 5:51
Attachments:
We should figure out how we will plan to use fuzzops in a non-gui fashion.
This includes several questions.
How will it integrate with tools like maven?
How will it work from within an IDE like eclipse?
How can we allow running it from a command line for other languages and tools?
This would probably involve using a config file to specify options.
Original issue reported on code.google.com by [email protected]
on 4 Oct 2010 at 8:55
What steps will reproduce the problem?
1. Complete a fuzzops
2. Click request File
Result:
java.io.FileNotFoundException: C:\Users\batemansw\Documents\fuzzops\---- (The
system cannot find the file specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:106)
at com.google.code.fuzzops.webfuzzer.commands.RequestCommand.execute(RequestCommand.java:32)
at com.google.code.fuzzops.webfuzzer.controller.FuzzApplicationController.handleRequest(FuzzApplicationController.java:33)
at com.google.code.fuzzops.webfuzzer.controller.FuzzControllerThread.run(FuzzControllerThread.java:92)
at java.lang.Thread.run(Thread.java:619)
Original issue reported on code.google.com by [email protected]
on 7 Oct 2010 at 4:57
cleanup svn empty directories, class files, and jar files.
Jar files and other binary files that people may want to use should be added to
the downloads page.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:05
What steps will reproduce the problem?
1. Run fuzzops against the stack petstore
Results:
The crawler runs. The fuzzer errors out with index out of bounds exception.
- CrawlerExecutor terminated
- Closing the browser...
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
at java.util.ArrayList.RangeCheck(ArrayList.java:547)
at java.util.ArrayList.get(ArrayList.java:322)
at com.google.code.fuzzops.webfuzzer.controller.FuzzEngine.fuzz(FuzzEngine.java:106)
at com.google.code.fuzzops.webfuzzer.crawler.CrawlerThread.initFuzzer(CrawlerThread.java:135)
at com.google.code.fuzzops.webfuzzer.crawler.CrawlerThread.configCrawler(CrawlerThread.java:124)
at com.google.code.fuzzops.webfuzzer.crawler.CrawlerThread.run(CrawlerThread.java:57)
at java.lang.Thread.run(Thread.java:619)
.....
- Total Crawling time(50711ms) ~= 0 min, 51 sec
- EXAMINED ELEMENTS: 170
- CLICKABLES: 10
- STATES: 8
Original issue reported on code.google.com by [email protected]
on 7 Oct 2010 at 4:28
Utilize a SQL database to store results rather than in files.
Suggestion is to store groups of ResultBeans into BLOBs which can be requested
sequentially by the UI.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:28
The Crawljax engine will go beyond the scope of the application unless it is
explicitly limited.
Propose implementing a whitelist based on root domain of the target.
Perhaps log those domains skipped.
Changes need to be made in the CrawlerThread.java to implement this.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:22
What steps will reproduce the problem?
1. Run the server, input non-default port (8484)
2. Run the client, change the port to 8484
3. Start a fuzz
You get a non-descriptive IO error. The client did not try to use port 8484.
Original issue reported on code.google.com by [email protected]
on 7 Oct 2010 at 4:31
Certain characters cause issues when fuzzing SOAP. These characters need to be
checked in the fuzzing process to be scrubbed in order to avoid issues when
sending requests.
These include, but are not limited to: >, ?, and <
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:19
What steps will reproduce the problem?
1. Load up fuzzops and point it to our petstore
2. Fuzz the petstore and view the logs
What do you see instead?
- Executing click on element: "Name" A: class="order-asc"
href="/stack-pet-store-ui/pet?petName=&firstResult=0&orderBy=name&sortOrder=DESC
ENDING&resultsPerPage=5" title="Sort by "Name"" click xpath
/HTML[1]/BODY[1]/DIV[3]/DIV[1]/DIV[1]/DIV[2]/TABLE[1]/THEAD[1]/TR[1]/TH[2]/A[1];
State: state2
- Dom is Changed!
- Correcting state name from state5 to state4
- State state4 added to the StateMachine.
- StateMachine's Pointer changed to: state4
- StateMachine's Pointer changed to: state4 FROM state2
- Running OnNewStatePlugins...
- Crawl failed!
java.lang.ArrayIndexOutOfBoundsException: 1
at com.google.code.fuzzops.webfuzzer.crawler.ModularUrlParameter.<init>(ModularUrlParameter.java:11)
at com.google.code.fuzzops.webfuzzer.crawler.ModularUrl.<init>(ModularUrl.java:19)
at com.google.code.fuzzops.webfuzzer.crawler.GenerateRequestsPlugin.prepareUrl(GenerateRequestsPlugin.java:34)
at com.google.code.fuzzops.webfuzzer.crawler.GenerateRequestsPlugin.onNewState(GenerateRequestsPlugin.java:24)
at com.crawljax.core.plugin.CrawljaxPluginsUtil.runOnNewStatePlugins(CrawljaxPluginsUtil.java:124)
at com.crawljax.core.state.StateMachine.update(StateMachine.java:196)
at com.crawljax.core.Crawler.clickTag(Crawler.java:356)
at com.crawljax.core.Crawler.crawl(Crawler.java:445)
at com.crawljax.core.Crawler.run(Crawler.java:610)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
- Finished executing
Original issue reported on code.google.com by [email protected]
on 5 Oct 2010 at 8:53
What steps will reproduce the problem?
1. Put the wrong port in the client
2. Request a fuzz
3.
What is the expected output? What do you see instead?
There is no real output expect in the IDE, and it only says "IOError"
Original issue reported on code.google.com by [email protected]
on 7 Oct 2010 at 5:37
The ability to replay certain errors to ensure that specific error causing
conditions have been fixed in new builds of target applications.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:39
Need a quick mode of cycling through errors without having to cut&past results
from table into the browser.
Possible plugin, screen shots, turning url into active link, etc
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:36
Need to add REST enumeration to allow fuzzing of REST services.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:20
What steps will reproduce the problem?
1. Fire up the server
2. Set the output directory to a folder that doesn't exist
3. Start a fuzzing session.
What is the expected output?
Directory is created or you are given a chance to change the output dir.
What do you see instead?
It fails silently.
Original issue reported on code.google.com by [email protected]
on 5 Oct 2010 at 4:45
When fuzzing SOAP requests, the monitor is showing that only the first
character of the fuzz data is actually being inserted.
Original issue reported on code.google.com by [email protected]
on 22 Sep 2010 at 8:42
Certain results will cause errors in the .csv file when downloading fuzz
results.
Most likely generated by new line/carriage return data from the fuzz generator.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:26
Certain people are having issues fuzzing SOAP. The fuzzer seems to get stuck on
retrieving the WSDL. May be an issue with accepting certificates, etc.
Original issue reported on code.google.com by [email protected]
on 22 Sep 2010 at 8:44
Create a fuzzing module that would allow the tester to upload or use
pre-uploaded attack dictionaries to test against their targets.
Original issue reported on code.google.com by [email protected]
on 21 Sep 2010 at 9:44
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.