lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2d6724810902110951i5e7d459di7c8ef22863be0f22@mail.gmail.com>
Date: Wed, 11 Feb 2009 12:51:54 -0500
From: T Biehn <tbiehn@...il.com>
To: el8@...hmail.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fuzzing for Fun and Profit

release something that fuzzes web services given a WSDL. OR * Grammer file.

state awareness given history, state munging, branch on prior states.
Like:
A->B->C->D

Transaction 1
A1->B1->C1

Transaction 2 REPLAY from B1
B1->C2->D2

Transaction 1
C1->D1

OR
A3->D3

D3->A3 (Send init packet with mundgery permute over *States if it permits.)

Run all permutations and branches from all steps, with all possible delays.
Learn if it "supports" your test then drop your test if it doesn't work.

You won't worry about running out of shit to test, and you'll finally
justify the cost of some sweet new hardware to run this on.

-or-

Learn how to audit code?

This might be too much CS for you, but if you plug away you might learn
something :.)

I'm sure you'll get a talking spot and mad whitehat dollars if you do.

On Wed, Feb 11, 2009 at 12:01 PM, <el8@...hmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dear tal0n.
>
> when will you do something that hasn't been done and is even
> relevant or practical in 2009? fuzzing sftp and command line
> arguments/env variables... nice and 2000AD "oh but its setuid(0)"
> yeah on your box and the 5 other people who download it to write
> useless papers/exploits to feel like they are smart/doing something
> (hi prdelka). When is the last time a sftpd exploit was useful?
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wpwEAQMCAAYFAkmTBHwACgkQhtejBzrM32l9fAP+L5pGZYr3uQVaRUNh0hrO91/EjR8j
> Eh/OLWWnhvEneGDwra2YR70R4AV0YDx3/wey/McNmiICu16xRLopvapqVdV2VVS5/1eP
> z6lqWg3Rs+vZQuSEjmblxvhPLgb9dLBRr60qbKPfGPEZKssv3akkxZOmm9no8P1KX8wP
> JU2A26Q=
> =Iy18
> -----END PGP SIGNATURE-----
>
> --
> Too many bills?  Click here to simplify your life and lower your debt.
>
> http://tagline.hushmail.com/fc/PnY6qxtUbhP9WqQxe5tCHOKDJDbyevAbhO9MFNhCEbIMLazpKKNbq/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ