Here's an interesting article from Dark Reading about web fuzzers.
Web fuzzing seems to be gaining some traction these days as a popular
means of testing web apps and web services.
http://www.darkreading.com/document.asp?
doc_id=118162f_src=darkreading_section_296
Any good/bad
On Feb 27, 2007, at 3:33 AM, Steven M. Christey wrote:
Given the complex manipulations that can work in XSS attacks (see
RSnake's
cheat sheet) as well as directory traversal, combined with the sheer
number of potential inputs in web applications, multipied by all the
variations in encodings, I
Just for the record, the testing literature (non-security) supports ken's point
of view. Possibly the most amusing thing about all of this discussion about
black box versus white box is that this is only one of many many divisions in
testing. Others include partition testing, fault injection,
On 2/27/07, Kenneth Van Wyk [EMAIL PROTECTED] wrote:
Here's an interesting article from Dark Reading about web fuzzers. Web
fuzzing seems to be gaining some traction these days as a popular means of
testing web apps and web services.
On Feb 27, 2007, at 4:54 AM, Michael Silk wrote:
unconvinced of what? what fuzzing is useful? or that it's the best
security testing method ever? or you remain unconvinced that fuzzing
in web apps is fuzzing in os apps?
fuzzing has obvious advantages. that's all anyone should care about.
No,
In my personal experience with web app testing, I have found that web
fuzzers are not nearly as useful as fuzzers used for applications, and more
specifically I have found numerous bugs doing direct API fuzzing. In the
case of testing web applications I find that using something like
SpiDynamics
Hi all,
The neverending debate over disclosure continued at RSA this year with a
panel featuring Chris Wysopl and others rehashing old ground. There are
points on both sides, with radicals on one side (say marcus ranum)
calling the disclosure people vulnerability pimps and radicals on the
other
J. M. Seitz wrote:
On a related note, does anyone have an example where Company A was
disclosing vulnerabilities about competing Company B's product and got into
trouble over it? Is this something that could be litigated?
In fact, Tom Ptacek found a hole in one of Marcus' products while
On 2/28/07, Gary McGraw [EMAIL PROTECTED] wrote:
Hi all,
The neverending debate over disclosure continued at RSA this year with a
panel featuring Chris Wysopl and others rehashing old ground. There are
points on both sides, with radicals on one side (say marcus ranum)
calling the disclosure