Composing test data is hard and composing security test data is many times harder, so the introduction of FuzzDB by Adam Muntner of the Mozilla security team is worth looking at for those who want to more effectively check the security of their applications. FuzzDB isn’t a database per se, but a collection of collections of categorised documents and includes:
- A library of predictable resource locations by OS, web server and app packages so that the regular holes can be checked.
- A collection of attack patterns broken down by platform, language and attack type and containing malicious and malformed inputs “known to cause information leakage and exploitation”. And by known, they mean “will set off your AV alerts”.
- A set of regexp pattens to aid spotting tell-tale system responses that can point toward security holes or just plain old errors.
- A cluster of web-shells, ideal for understanding and spotting those ways someone can leave a route back in.
- A variety of word lists and user/passwords which may be useful.
and of course some documentation. All of this can be found on the FuzzDB project page on Google Code. Muntner offers a range of uses for the plain text documents of FuzzDB such as driving web app penetration tools, building automated scanners, checking for malicious inputs and testing network services. Over the next year he plans to move FuzzDB to a wiki to improve collaboration around its content, update various components, improve others, work out a consistent naming scheme and make it work better with OWASP’s ZED (Zed Attack Proxy) and Mozilla’s own Minion.