Web Application Fuzz Testing

[Tiberius]

Over the last few months I've been developing a fuzz tester for web applications as part of my MSc project. If you don't know what fuzz testing is, it is basically where you throw random or unexpected input at programs and see how they respond. With a web app, that might be anything from binary data to specially crafted SQL injection strings.

Fuzz testing is very important for security, and unfortunately not many QA teams do it, since the current range of fuzz testers out there are either too confusing to use, not powerful enough, or can't easily be automated. My fuzz tester aims to be the ultimate solution; simple to configure, able to test any part of an HTTP request, and fully automated.

I'll be continuing development of the fuzz tester after I submit the MSc Project (early September), but I really want people who understand web applications to test it and report back bugs / suggest features. If you are interested, please let me know in this thread.

Current Features:

• It's a command-line application (outputs results to stdout and an HTML file).
  
• Tests can be configured using a XML based "scripting" language. This is both great (because XML is so easy to write), and horrific (because XML really shouldn't be used this way).
  
• Any (yes, any) part of an HTTP request can be "fuzzed".
  
• Fuzz values can be taken from a file (line by line), or from a number incrementor (either integer or double), or from Random binary input.
  
• You can use multiple different fuzz values in the same HTTP request (something that is lacking is almost every fuzz tester I could find).
  
• You can easily check for the presence of strings or fuzz values in the HTTP response, or even a HTTP response unrelated to the one that was fuzzed (again, something lacking in other fuzz testers).
  

I have a list of features that I'll hopefully be adding over the next few weeks before I finally submit it for review. For now though, that's it.