Practical audit advice you can use today.
# 7 : Fuzzing for Fun and Profit
WebScarab is a powerful tool for testing out many different aspects of a web application. One of the more tedious aspects of web application security validation is trying out all of the different possibilities for input on every form. What can we do to make our lives simpler? WebScarab to the rescue!
WebScarab ( http://owasp.org
) can be taught to automatically send pre-populated input to a form in a programmatic way. This means that once we create a file containing the tests that we'd like to run we can just point and click and away it goes!
In the episode you'll see that we're able to configure WebScarab to run millions of test cases against a form. Looking at the results summary page we can quickly see if any of those requests caused the application to crash (500 Internal Server Error). We'll look at some details of how to mine these thousands of results for useful data in a future episode.
© 2011, David Hoelzer & EnclaveForensics