In my previous post I talked a little bit about fuzzing and how I’d proceed. I’ve now made really good improvements (IMO anyway ;)) on the code. So now..a brief feature list(HaHa) of my fuzzing script for a Webservice method RBACHas_Role is:
— Configuration file present where you can choose what fuzz lists you want to use
— Configuration file present where you can configure expected values for each method
— Writes responses per payload and Final report to XML so other tools (Don’t ask me which ones :)) can use it
— Lastly…it now uses Threads…so a large number of payloads are sent in a very short space of time. It was very cool looking at Burp’s History window filling up very very quickly.
449 payloads. The version without threads takes 3 minutes 20 seconds. The version WITH threads takes 23 seconds. And the results seem correct too. Quite cool if you ask me 🙂