I came across OWASP’s<\/a> JBroFuzz<\/a> and think I’ve found a good match. The tool provides a variety of brute force options and includes some nice graphing and statistics to analyze the information. I was also happy to see some nice documentation<\/a> so I could quickly get up and running. My only compliant at the moment is that the proxy setup is a little clunky and not-intuitive at first. But again, as long as you follow the guide<\/a>, it shouldn’t be an issue.<\/p>\n When do I plan to use this new found fuzzer? 2. When a site relies heavily on complex regular expressions for input validation and has weak output encoding. Yes, we can make the argument straight away that this is an issue. But its very powerful to make your case with a working exploit. Otherwise, you are trying to justify a bug fix to an issue that may or may not be currently exploitable. This can be a tough sell if developers are heavily leveraged with feature enhancements, new functionality, upcoming releases, etc.<\/p>\n This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide. Talkback and comments are most welcome<\/p>\n Related posts I decided to search out a good web fuzzer for some testing needs. I wanted a fuzzer that was capable, customizable and could support my testing. The last thing I wanted was some sort of all-in-one application security scanner (since the false positives can just get ridiculous at times). Nope, all I needed was some […]<\/p>\n","protected":false},"author":5679,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-513285","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/513285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/users\/5679"}],"replies":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/comments?post=513285"}],"version-history":[{"count":0,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/513285\/revisions"}],"wp:attachment":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/media?parent=513285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/categories?post=513285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/tags?post=513285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![](\"http:\/\/www.owasp.org\/images\/thumb\/e\/ea\/JBroFuzz-ScreenShot.png\/300px-JBroFuzz-ScreenShot.png\")
<\/a><\/div>\n
1. Sites where I don’t have source for some reason. This is actually a rarity. If you want someone to assess the security of your web app, you should really give them the source code. Quick aside: if the consultants you select for an assessment aren’t asking for source code, an alarm should go off in your head. If they don’t do source code analysis, then they aren’t doing there job.<\/p>\n
The original text is published on …Application Security…<\/a><\/p>\n
Skipfish – New Web Security Tool from Google<\/a>
Tutorial – Using Ratproxy for Web Site Vulnerability Analysis<\/a>
How To – Malicious Web SIte Analysis Environment<\/a>
Web Site that is not that easy to hack – Part 1 HOWTO – the bare necessities<\/a>
Checking web site security – the quick approach<\/a><\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"