{"id":1369,"date":"2013-08-16T08:06:27","date_gmt":"2013-08-16T15:06:27","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=1369"},"modified":"2013-08-16T08:06:27","modified_gmt":"2013-08-16T15:06:27","slug":"introducing-fuzzdb","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/","title":{"rendered":"Introducing FuzzDB"},"content":{"rendered":"<div id=\"magicdomid3\"><\/div>\n<div id=\"magicdomid4\">FuzzDB is an open source database of attack patterns, predictable resource names,\u00a0 regex patterns for identifying interesting server responses, and documentation resources. It&#8217;s most often used testing the security of web applications but can be useful for many other things. FuzzDB started off as years of my own personal documentation and research notes and gradually evolved into its current form.<\/div>\n<p><\/p>\n<div id=\"magicdomid6\">This is the first of a series of blog posts about FuzzDB. It discusses:<\/p>\n<ul>\n<li>The problem that led to the creation of FuzzDB<\/li>\n<li>What kinds of things are in FuzzDB<\/li>\n<li>The different ways in which FuzzDB could be used<\/li>\n<li>The future of FuzzDB<\/li>\n<\/ul>\n<p>FuzzDB, is hosted at Google Code: <a href=\"https:\/\/code.google.com\/p\/fuzzdb\/\">https:\/\/code.google.com\/p\/fuzzdb\/<\/a><\/div>\n<p><\/p>\n<h2><b>Thinking About Test Cases<br \/>\n<\/b><\/h2>\n<div id=\"magicdomid16\"><\/div>\n<div id=\"magicdomid19\">A lot of attention has been paid to identifying attackable surface areas, but less to the development of attack pattern libraries. When we dynamically test web applications for security vulnerabilities, how good are the test cases we\u2019re using?<\/div>\n<div><\/div>\n<p><\/p>\n<div>Commercial web scanning tool vendors put significant research effort into this problem, but the product of this research is considered intellectual property and locked up inside the application. As users, in order to learn what kinds of test cases are being generated we would need to painstakingly record and analyze its traffic. At the time I initially released FuzzDB, most open source web fault injection tools had sets of test cases which were woefully incomplete and inadequate. There are too many permutations of symbols and encodings used in web protocols for anyone to reliably and repeatably recall all of them. As for the commercial tools, how complete are their sets of test cases, anyway? It\u2019s not always easy to tell. What were they actually testing for? These tools aren\u2019t just test case lists, they\u2019re lists wrapped in complex sets of rules that determine which test cases to use when\u00a0 and where. After considering these details, I had some doubts about the effectiveness of the typical application testing process.<\/div>\n<div><\/div>\n<p><\/p>\n<div id=\"magicdomid21\">My thoughts turned to increasing the speed and accuracy with which I could find certain classes of vulnerabilities during assessments. I began collecting, categorizing, and using lists of attack strings and of common file and directory names. Eventually I organized them into what is now FuzzDB and made it freely available under an Open Source license, the <a href=\"http:\/\/creativecommons.org\/licenses\/by\/3.0\/\">Creative Commons Attribution<\/a> license.<\/div>\n<div><\/div>\n<p><\/p>\n<div id=\"magicdomid23\">As with any tool, an individual with malicious intent could potentially use FuzzDB in bad ways. However, I believe that it&#8217;s better to provide this information for the security of all. More importantly, if developers and testers have access to a good set of test cases, software will be released that has already passed this list of test cases.<\/div>\n<p><\/p>\n<div id=\"magicdomid25\">That&#8217;s my ultimate goal for FuzzDB: for it to become obsolete as an attack tool because the applications become more secure. When applications and frameworks are inoculated against its patterns through testing and secure coding techniques, bad actors will no longer find the patterns in FuzzDB to be useful.<\/div>\n<p><\/p>\n<h2 id=\"magicdomid27\"><b>What&#8217;s in FuzzDB?<\/b><\/h2>\n<p><\/p>\n<div id=\"magicdomid29\"><b>Predictable Resource Locations &#8211;<\/b> Because there are a small number of popular server OS and infrastructure application packaging systems, resources such as logfiles and administrative directories are typically located in a small number of predictable locations. FuzzDB contains a comprehensive database of these, categorized by OS platform, web server, and\u00a0 application. The intent is for a tester to use these lists to be able to make educated rather than brute-force guesses, significantly increasing the likelihood of successfully forcible browsing interesting and vulnerable resources. Also, they\u2019re appropriate to be used in creating automated scanners as well as IDS\/IPS signatures.<\/div>\n<div><\/div>\n<p><\/p>\n<div id=\"magicdomid31\"><b>Attack Patterns &#8211; <\/b>The attack pattern test-case sets are categorized by platform, language, and attack type. These are malicious and malformed inputs known to cause information leakage and exploitation. FuzzDB contains comprehensive lists of attack payloads known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, http header crlf injections, and more.<\/div>\n<div><\/div>\n<p><\/p>\n<div id=\"magicdomid33\">When I say \u201cmalicious inputs,\u201d I mean it. Downloading the project may cause antivirus alerts or trigger pattern-based malicious code sensors. While FuzzDB is itself nothing but a collection of text files that are harmless on their own, some of the patterns included in the files have been used extensively in worms, malware, and other exploits.<\/div>\n<div><\/div>\n<p><\/p>\n<div id=\"magicdomid35\"><b>Response Analysis &#8211;<\/b> Since system responses also contain predictable strings, FuzzDB contains a set of regex pattern dictionaries such as interesting error messages to aid detection software security defects, lists of common Session ID cookie names, regex for numerous Personally Identifiable Information, and more.<\/div>\n<div><\/div>\n<p><\/p>\n<div id=\"magicdomid37\"><b>Documentation &#8211; <\/b>Helpful documentation and cheatsheets sourced from around the web that are relevant to the payload categories are provided.<\/div>\n<div><\/div>\n<p><\/p>\n<div id=\"magicdomid39\"><b>Other useful stuff &#8211; <\/b>Webshells, common password and username lists, and some handy wordlists.<\/div>\n<p><\/p>\n<div id=\"magicdomid41\">You can browse it\u2019s contents using <a href=\"https:\/\/code.google.com\/p\/fuzzdb\/source\/browse\/#svn%2Ftrunk\">Google Code\u2019s Source browser<\/a>.<\/div>\n<p><\/p>\n<h2>What can FuzzDB be used for?<\/h2>\n<div id=\"magicdomid47\">\n<ul>\n<li>Web application penetration testing using popular penetration testing tools like OWASP Zap or Burp Suite<\/li>\n<li>A standard ZAP Intercepting Proxy <a href=\"https:\/\/code.google.com\/p\/zap-extensions\/wiki\/AddOn_fuzzdb\">add-on<\/a><\/li>\n<li>Building new automated scanners and automation-assisted manual penetration test tools<\/li>\n<li>Testing network services that use something other than HTTP semantics<\/li>\n<li>As malicious inputs for testing GUI or command-line software<\/li>\n<li>Using the patterns to make your open source or commercially licensed application better<\/li>\n<li>Identifying interesting responses to your probes. Here is a <a href=\"http:\/\/code.google.com\/p\/fuzzdb\/wiki\/regexerrors\">screenshot<\/a> illustrating how this looks in Burp Suite<\/li>\n<li>Testing your IDS or IPS by using these test cases to \u201cattack\u201d your web server<\/li>\n<li>Testing during a bake-off of web security product vendors<\/li>\n<li>Testing a new custom web server or other network service for vulnerability to the patterns that have worked on one or more other platforms in the past<\/li>\n<li>Building intrusion identification and response systems<\/li>\n<li>Winning app security Capture the Flag competitions<\/li>\n<li>As a learning tool for better understanding various different malicious byte combinations which can cause the same vulnerability<\/li>\n<\/ul>\n<p>If you\u2019re using FuzzDB in a novel way, I\u2019d love to hear about it!<br \/>\n<\/p>\n<h2 id=\"magicdomid62\">The Future of FuzzDB<\/h2>\n<p><\/p>\n<div id=\"magicdomid64\">There is still a lot of work to be done to improve FuzzDB. My plan for the upcoming year includes:<\/p>\n<ul>\n<li>Respond to the outstanding bugs<\/li>\n<li>Come up with a consistent naming structure (this is actually one of the bugs)<\/li>\n<li>Write more documentation, such as these blog posts<\/li>\n<li>Update the Discovery files, they\u2019re still very useful, but a few years old.<\/li>\n<li>Improve some of the Attack payload categories<\/li>\n<li>Help it work better with <a href=\"https:\/\/www.owasp.org\/index.php\/OWASP_Zed_Attack_Proxy_Project\">OWASP Zap<\/a> and <a href=\"https:\/\/wiki.mozilla.org\/Security\/Projects\/Minion\">Minion<\/a><\/li>\n<\/ul>\n<p>In addition, FuzzDB will move into a wiki that will allow discussion of the contents and permit collaboration on new items.<br \/>If you\u2019re interested in helping in any of these areas or have suggestions such as a consistent directory and name format for FuzzDB or have more\u00a0 fuzz files to send, I\u2019d love to hear from you.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>FuzzDB is an open source database of attack patterns, predictable resource names,\u00a0 regex patterns for identifying interesting server responses, and documentation resources. It&#8217;s most often used testing the security of &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/\">Read more<\/a><\/p>\n","protected":false},"author":54,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Introducing FuzzDB - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Al Billings\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/\",\"name\":\"Introducing FuzzDB - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2013-08-16T15:06:27+00:00\",\"dateModified\":\"2013-08-16T15:06:27+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/d33dd2d17a8109165b6df7d1245e33fc\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Introducing FuzzDB\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/d33dd2d17a8109165b6df7d1245e33fc\",\"name\":\"Al Billings\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/9456a97c7c46aaacc293dfb3e668ecfd\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/59eb615338adae529ebe54960f87cd0c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/59eb615338adae529ebe54960f87cd0c?s=96&d=identicon&r=g\",\"caption\":\"Al Billings\"},\"sameAs\":[\"https:\/\/openbuddha.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Introducing FuzzDB - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/","twitter_misc":{"Written by":"Al Billings","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/","url":"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/","name":"Introducing FuzzDB - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2013-08-16T15:06:27+00:00","dateModified":"2013-08-16T15:06:27+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/d33dd2d17a8109165b6df7d1245e33fc"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2013\/08\/16\/introducing-fuzzdb\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Introducing FuzzDB"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/d33dd2d17a8109165b6df7d1245e33fc","name":"Al Billings","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/9456a97c7c46aaacc293dfb3e668ecfd","url":"https:\/\/secure.gravatar.com\/avatar\/59eb615338adae529ebe54960f87cd0c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/59eb615338adae529ebe54960f87cd0c?s=96&d=identicon&r=g","caption":"Al Billings"},"sameAs":["https:\/\/openbuddha.com"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1369"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/54"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1369"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1369\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1369"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}