Nmap Development mailing list archives
HTTP fuzzing help
From: David Fifield <david () bamsoftware com>
Date: Thu, 2 Apr 2009 21:06:38 -0600
Hi, In the /nmap-exp/david/ncat-proxy branch there are revisions that allow Ncat's proxy mode to require authentication. You use it like this: ncat -l --proxy-type http --proxy-auth user:pass (Previously --proxy-auth only worked in connect mode.) This code is ready to merge but I would like some help testing it for security. Each new feature Ncat gains adds a little bit of complexity, and in my mind the word "complexity" is followed "bugs" which is then followed by "remote exploit." I want to maintain the good name of the Nmap project; and it's too easy for me working alone to make a mistake. As part of the security testing I wanted to try fuzz testing, which I haven't done before. However I don't know where to start, so I'm asking for advice. I need something that can fuzz HTTP requests. My overall plan is to run the proxy server as above and feed it variations on this file: CONNECT localhost:10000 HTTP/1.0 Proxy-Authorization: dXNlcjpwYXNz blah I tried this one: http://code.google.com/p/bunny-the-fuzzer/ by Michal Zalewski. It looks interesting, instrumenting your code and adjusting the data to exercise different code paths. But when I ran it like this: PATH=~/bunny:$PATH bunny-main -i bunny/in_dir -o bunny/out_dir -t 127.0.0.1:31337 ./ncat -l localhost --proxy-type http --proxy-auth user:pass -vvv and it has been sitting at "New call path - process calibration" with 100% CPU for over an hour. So can anyone recommend an HTTP fuzzer, or tellme how to use Bunny the Fuzzer correctly? By the way, if you want to try the proxy auth code, you have to create a dummy nmap tree like this: svn co --ignore-externals svn://svn.insecure.org/nmap nmap-proxy cd nmap-proxy svn propedit svn:externals . # Change the ncat external. svn up David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- HTTP fuzzing help David Fifield (Apr 02)