Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

HTTP fuzzing help

From: David Fifield <david () bamsoftware com>
Date: Thu, 2 Apr 2009 21:06:38 -0600
Hi,

In the /nmap-exp/david/ncat-proxy branch there are revisions that allow
Ncat's proxy mode to require authentication. You use it like this:

        ncat -l --proxy-type http --proxy-auth user:pass

(Previously --proxy-auth only worked in connect mode.) This code is
ready to merge but I would like some help testing it for security. Each
new feature Ncat gains adds a little bit of complexity, and in my mind
the word "complexity" is followed "bugs" which is then followed by
"remote exploit." I want to maintain the good name of the Nmap project;
and it's too easy for me working alone to make a mistake.

As part of the security testing I wanted to try fuzz testing, which I
haven't done before. However I don't know where to start, so I'm asking
for advice. I need something that can fuzz HTTP requests. My overall
plan is to run the proxy server as above and feed it variations on this
file:

CONNECT localhost:10000 HTTP/1.0
Proxy-Authorization: dXNlcjpwYXNz

blah

I tried this one: http://code.google.com/p/bunny-the-fuzzer/ by Michal
Zalewski. It looks interesting, instrumenting your code and adjusting
the data to exercise different code paths. But when I ran it like this:

        PATH=~/bunny:$PATH bunny-main -i bunny/in_dir -o bunny/out_dir -t 127.0.0.1:31337 ./ncat -l localhost 
--proxy-type http --proxy-auth user:pass -vvv

and it has been sitting at "New call path - process calibration" with
100% CPU for over an hour.

So can anyone recommend an HTTP fuzzer, or tellme how to use Bunny the
Fuzzer correctly?

By the way, if you want to try the proxy auth code, you have to create a
dummy nmap tree like this:

        svn co --ignore-externals svn://svn.insecure.org/nmap nmap-proxy
        cd nmap-proxy
        svn propedit svn:externals . # Change the ncat external.
        svn up

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: