Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: WebScarab Fuzzer
From: Rogan Dawes <discard () dawes za net>
Date: Sat, 10 Jun 2006 10:58:00 +0200
Jason Murray wrote:

Is there a better tutorial on how to use the WebScarab Fuzzer than this:
http://dawes.za.net/rogan/webscarab/docs/fuzzer.html
It does a good high level overview but leaves out key pieces of information like how the Fuzz Source is specified. I tried using a simple text file but that didn't work.
Also how do you know if it is even working? I click Start and am told that it started, but how do I know when it finishes? And where would any results be?
I'm on a project where this feature will be of great use to me. I am just a bit green with the tool. 

Thanks in advance.
Depending on which version you are using, the fuzz source IS specified by a simple text file (one item per line) or a simplified regular expression (only in more recent versions - not sure if I have made an official release containing this functionality - I've been having trouble logging in to sourceforge to actually make a release).
The idea is that you have one piece of fuzz text per line, then when you create the fuzz source in WebScarab, you should see each item reflected in the list, along with a count showing how many items there are.
When you define the parameters to fuzz, you should see a couple of boxes in the bottom left corner of your screen, showing "Total Requests" and "Current Request". When you hit start, you should see "Current Request" incrementing until it reaches "Total Requests" - 1, at which point it is finished. All of the responses are dumped into the Summary, so you can review them there, however, in more recent versions, there is a fuzzer-specific summary shown in the Fuzzer window, showing the results from the last fuzzer run. This is cleared each time you reset the fuzzer (e.g. by changing parameters, etc)
You can get the latest version from my website at <http://dawes.za.net/rogan/webscarab/webscarab-installer-20060512-1132.jar> 

I'll update my website at some stage to include the above explanation.

Hope this has helped.

Regards,

Rogan

-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! 

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]