Too much new software is vulnerable to the attack sequences of yesteryear. This suggests a testing approach: a comprehensive set of known attack pattern sequences can be leveraged for use in targeted fuzzing when testing for exploitable conditions in new applications.Fuzzdb is a comprehensive set of known attack pattern sequences, predictable locations, and error messages for intelligent brute force testing and exploit condition identification of web applications.

Many mechanisms of attack used to exploit different web server platforms and applications are triggered by particular meta-characters that are observed in more than one product security advisory. fuzzdb is a database attack patterns known to have caused exploit conditions in the past, categorized by attack type, platform, and application.

Because of the popularity of a small number of server types, platforms, and package formats, resources such as logfiles and administrative directories are typically located in a small number of predictable locations. A comprehensive database of these, sorted by platform type, makes brute force fuzz testing a scalpel-like approach.

Since system errors contain predictable strings, fuzzdb contains lists of error messages to be pattern matched against server output in order to aid detection software security defects.

Primary sources used for attack pattern research:

researching old web exploits for repeatable attack strings

scraping scanner patterns from http logs

various books, articles, blog posts, mailing list threads

patterns gleaned from other open source fuzzers and pentest tools

analysis of default app installs

system and application documentation

error messages

It’s like a non-automated open source scanner without the scanner. You can download fuzzdb v1.06 here:

Check out via svn: svn checkout

Also..to keep FuzzDB updated,type

svn update

to pull the latest updates.

Like This post ? You can buy me a Beer :)