[OWASP-WEBSCARAB] Fuzzer
Ofer Shezaf
Ofer.Shezaf at breach.com
Fri Apr 15 19:55:21 EDT 2005
Hi Rogan,
>
> Depending on the amount of "insight" we have into the way the system
> works, we may be able to define some of these parameters in a more
> detailed way, e.g. type (String, Number, Date, Filename, etc)
>
> We can get this information about a system in a couple of ways:
>
> * By analysing the conversations that we see (via the different
> WebScarab plugins, e.g. Proxy, Manual Request, Spider, etc)
>
> * By analysing WSDL for various exported WebServices.
>
> * Maybe other ways. ;-)
>
> Obviously, if we consider that a Cookie can be a parameter, things
like
> images, javascript, css, etc, could be mistaken for an interesting
> "method".
>
We at Breach Security make a system that provides such insight by
learning traffic (not open source though). In order to get information
from our system or any other system that knows something about the
application you will need some standard way to represent the
information, for example some XML format, even an extension to WSDL.
If you enable importing such information, we could export it. Others
could make tools that derive that information from source code, javaDoc,
by sniffing traffic, or by analyzing web server logs.
The information that we can provide is:
- List of pages on the site,
- List of parameters for each page
- Type of the parameter
- Depending on the type of parameter:
- List of values for the parameter
- Range of values for the parameter
- Range of lengths for the parameter
- Characters allowed in the parameter.
~ Ofer
Ofer Shezaf
CTO, Breach Security
Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers at breach.com
http://www.breach.com
More information about the Owasp-webscarab
mailing list