Comments on: Open source security tools

By: Gareth Heyes

Gareth Heyes — Wed, 15 Aug 2007 22:27:51 +0000

Hi Ascii

Yeah I forgot to remove the inc file because it was originally hosted on my site but I figured people would know to remove it anyway. Same with the styles and images.

There’s been a few instances of interesting javascript execution reported. The plan is to log them in the fuzz database, and the address variable is used to report the fuzz results back to my server using dynamic images. It’s up to you, you can choose to report the results or not.

By: ascii

ascii — Wed, 15 Aug 2007 21:59:40 +0000

did executedJavascript turned to 1 in any cool way so far? are there already notable results? (just curious, i can understand if you refuse to publish results details since you already opensourced the fuzzer)

the only glitches i found are:

include ads.inc.php that could be removed (or make the path absolute and go evil)

var address that still points to your server (dunno if wanted or not :P)

some missing external stuff that is not directly involved in the fuzzing mechanism (styles, images, etc)

just an idea: the user agent string could be added to the reporting

By: Gareth Heyes

Gareth Heyes — Wed, 15 Aug 2007 21:00:25 +0000

No probs I’m glad you like the code If you improve it or use it anywhere let me know and get involved with the Google group, I’m hoping we can all share ideas, learn and improve the code.

By: ascii

ascii — Wed, 15 Aug 2007 20:51:43 +0000

i’m still reading the sources but it seems really good stuff, thanks!

By: pF ;)

pF ;) — Wed, 15 Aug 2007 07:36:13 +0000

Cool!

By: .mario

.mario — Wed, 15 Aug 2007 06:36:48 +0000

sweet