On Feb 27, 2007, at 3:33 AM, Steven M. Christey wrote:
Given the complex manipulations that can work in XSS attacks (see
RSnake's
cheat sheet) as well as directory traversal, combined with the sheer
number of potential inputs in web applications, multipied by all the
variations in encodings, I
To: Secure Coding
Subject:Re: [SC-L] Dark Reading - Desktop Security - Here Comes the
(Web)Fuzz - Security News Analysis
On Feb 27, 2007, at 3:33 AM, Steven M. Christey wrote:
Given the complex manipulations that can work in XSS attacks (see
RSnake's
cheat sheet) as well as directory
On 2/27/07, Kenneth Van Wyk [EMAIL PROTECTED] wrote:
Here's an interesting article from Dark Reading about web fuzzers. Web
fuzzing seems to be gaining some traction these days as a popular means of
testing web apps and web services.
On Feb 27, 2007, at 4:54 AM, Michael Silk wrote:
unconvinced of what? what fuzzing is useful? or that it's the best
security testing method ever? or you remain unconvinced that fuzzing
in web apps is fuzzing in os apps?
fuzzing has obvious advantages. that's all anyone should care about.
No,
In my personal experience with web app testing, I have found that web
fuzzers are not nearly as useful as fuzzers used for applications, and more
specifically I have found numerous bugs doing direct API fuzzing. In the
case of testing web applications I find that using something like
SpiDynamics
