RE: Looking for a fuzzer/source code analyzer on customer developed code

From: Joxean Koret (joxeankoret@yahoo.es)
Date: Tue Mar 18 2008 - 03:39:12 EST

• Next message: Jason Thompson: "Re: anonymous Zonetransfer (AXFR) exploatation"
• Previous message: Vedantam sekhar: "Pentesting tools for Linux IP Tables"
• In reply to: sudhakar@CS.Princeton.EDU: "Looking for a fuzzer/source code analyzer on customer developed code"
• Next in thread: Gadi Evron: "RE: Looking for a fuzzer/source code analyzer on customer developed code"
• Reply: Gadi Evron: "RE: Looking for a fuzzer/source code analyzer on customer developed code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

There are many fuzzers but the most powerfull are
SPIKE and Sulley. Both of them are Open Source but
SPIKE is quite old (as the latest version is only
distributed to paying customers).

For web services fuzzing I recommend you wsFuzzer
(http://www.neurofuzz.com/modules/software/wsfuzzer.php)
by Andres Andreu. It's very good.

For a general purpose open source fuzzer, if you don't
like the previous fuzzers I pointed you, you can use
Krash fuzzer (general purpose fuzzer, included in the
Inguma project, http://inguma.sourceforge.net).

And, for source code analyzers, for C/C++ you may use
flawfinder (http://www.dwheeler.com/flawfinder/).

Regards,
Joxean Koret

--- sudhakar@CS.Princeton.EDU escribió:

>
>
> Hi all,
>
> I am looking for a good fuzzer, against some custom
> code developed
> internally. I am looking for a tool to stress test
> application by:
>
> - open many netork connections to application
> - throw random data to applications to get them to
> crash
> - fuzz web services
>
>
> Idea is to add a quality gate for developers
> before they push code out.
>
> Does anyone have any ideas on how to approach the
> problem? Any source code
> analyzer out there to do this?
>
>
> Thanks in advance for your ideas.
>
>
> Regards,
> --Sudhakar
>
>
>
>
------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE
> today!
>
> http://www.cenzic.com/downloads
>
------------------------------------------------------------------------
>
>

      ______________________________________________
Enviado desde Correo Yahoo!
Disfruta de una bandeja de entrada más inteligente. http://es.docs.yahoo.com/mail/overview/index.html

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Jason Thompson: "Re: anonymous Zonetransfer (AXFR) exploatation"
• Previous message: Vedantam sekhar: "Pentesting tools for Linux IP Tables"
• In reply to: sudhakar@CS.Princeton.EDU: "Looking for a fuzzer/source code analyzer on customer developed code"
• Next in thread: Gadi Evron: "RE: Looking for a fuzzer/source code analyzer on customer developed code"
• Reply: Gadi Evron: "RE: Looking for a fuzzer/source code analyzer on customer developed code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:28 EDT