Today on bugtraq Michal Zalewski , a noted security researcher who pounds out some pretty cool tools, posted a new fuzzer for the C language. Bunny the Fuzzer is available through Google Code.
So, if you know me personally, you know that lately I've been pretty drawn to fuzzing and Read the rest of this entry »
If you've listened to my last podcast you know I missed the first gathering of the newly formed DC 405 group. Luckily, 0hm was there to shoot and edit the talks and has made them available at http://dc405.blip.tv
Some notes on the technologies behind ri0t's part of the talk: Read the rest of this entry »
In this episode I run down some of the fun and excitement of Tulsa Techfest '07. So sit back and enjoy as I regale you with tales of Silverlight and Oktoberfest brew. Techfest was another smashing success!
This has been out for about a month now, but I thought I'd post a short blurb anyway. This issue contains some good information on PCI DSS compliance and an article by Michael Sutton, Adam Greene and the ever popular Pedram Amini regarding file fuzzing.
So, there's some interesting bedtime reading for you.
There's a really cool site out there called RefactorMyCode.com that is built around the grand idea of community refactoring. If you've got some messy spaghetti -code or some nasty function calls that you're not sure of how to cleanup, this may be just what the doctor ordered.
My gut feeling on this is that it'll be great for those short snippets and personal projects that people have going. Hopefully no trade secret type stuff, but certainly the old crusty drudgery that we all have lying around.
Get to it, refactoring is fun!
I'm a late comer to this party folks. I've been chugging along on Slackware for quite a while, squeaking through life on KDE 3.4.
The other night I was inspired to see what all was available through Ubuntu and it's native Gnome. It's awesome out of the box. This is a desktop Linux that I wouldn't hesitate pushing on my little sister. It's fun, easy to use and has some great package management and productivity apps built in.
Once you get past the stuff that makes it work better, it's time to get crazy. Beryl puts your desktop into graphic/animation overload. Cubes to spin the desktop, an expose-like look at running apps, and transitions that make it the hottest thing on the block.
For you OS X lovers, I added the Avant launcher, which makes the taskbar more like that of OS X with quick launch icons that zoom on mouse-over. It's sweet.
Overall, it beat the hell out of a lot of other distros I've tried, but more importantly, it beats the hell out of Vista in a BIG way. Try it and prepare to be impressed.
So, recently I started writing a web application fuzzer in Ruby. I chose Ruby for a couple of reasons,
I got code working for parsing the form tag and determining the method of input 'GET' or 'POST', code for parsing parameters to be fuzzed and code for extracting links for forward spidering of the site.
Ok, this is all well and good, so I want to use a list that's provided by ninjas (i.e. the listings provided by OWASP). For my first run I decided to say f'it and threw this data into files that reflect options that can be selected or globbed from the command prompt.
So, I'm working the command line options and running Wireshark to make sure it's looking as it should. Then it hits me, how am I detecting that something is a miss? Status codes? Timing? Page response is going to give me b.s. So here it is boys and girls.
Lesson 1 : Don't throw the exploit at the input. Throw something to indicate an issue.
You see, if an SQL injection works, the page will render nicely, maybe it's a password field and it just blows you through...not helpful in indicating an issue. At least not the way I'm attempting to make this all happen.
