Open source security tools

I have reached the required comment level for my JSFuzzer, if you weren’t aware of my experiment it was simply to have people comment on my post before I released the source code [1]. I know it might sound silly but in fact it enables the project to attract attention and also humans by their very nature want something they can’t have 🙂

You see I don’t want to charge people for the tools I write because I think they should be freely available as a learning resource and there’s a couple of things I don’t like about software/code in the industry today:-

1. Licenses suck.
2. Patents suck.
3. Corporate interests suck.
4. Stealing code or reselling free code sucks big time.

I’ll not turn this post into a rant and I could name far more points but what I wanted to achieve with this post is provide an example to the rest of the web security industry on how things can be done and hopefully someone will learn from the code I’ve wrote or better still find problems or improve it.

I’ve released the source of two security tools.
1. JSFuzzer
2. Javascript LAN Scanner

You can get involved with both projects on Google groups here:-
JS Fuzzer group and Javascript LAN scanner group

[1] open source as a reward for the js fuzzer

6 Responses to “Open source security tools”

  1. .mario writes:


  2. pF ;) writes:


  3. ascii writes:

    i’m still reading the sources but it seems really good stuff, thanks!

  4. Gareth Heyes writes:

    No probs I’m glad you like the code 🙂 If you improve it or use it anywhere let me know and get involved with the Google group, I’m hoping we can all share ideas, learn and improve the code.

  5. ascii writes:

    did executedJavascript turned to 1 in any cool way so far? are there already notable results? (just curious, i can understand if you refuse to publish results details since you already opensourced the fuzzer)

    the only glitches i found are:

    include that could be removed (or make the path absolute and go evil)

    var address that still points to your server (dunno if wanted or not :P)

    some missing external stuff that is not directly involved in the fuzzing mechanism (styles, images, etc)

    just an idea: the user agent string could be added to the reporting

  6. Gareth Heyes writes:

    Hi Ascii

    Yeah I forgot to remove the inc file because it was originally hosted on my site but I figured people would know to remove it anyway. Same with the styles and images.

    There’s been a few instances of interesting javascript execution reported. The plan is to log them in the fuzz database, and the address variable is used to report the fuzz results back to my server using dynamic images. It’s up to you, you can choose to report the results or not.