

Introducing FuzzDB - Lightning
https://blog.mozilla.org/security/2013/08/16/introducing-fuzzdb/

======
david_shaw
FuzzDB is a great project that has the potential to improve many existing
tools. In the same way Adam suggested in this post, my team uses FuzzDB lists
integrated with other tools (Burp Suite, Dirbuster, etc.) in order to use the
functionality of those tools with the robust lists that FuzzDB provides.

For those that may not understand how this works: FuzzDB has many lists for
many different security checks. A "fuzzer" would dynamically generate these
things by basically putting random data into input fields in an attempt to
find edge cases (with a security impact) that may not be handled correctly.
Instead of generating that data randomly and on-the-fly, FuzzDB uses the most
common "win" scenarios for a lot of different tests.

For example, the file Sharepoint.fuzz.txt[1] can easily be fed into any web
application assessment tool to find default Sharepoint files. Since FuzzDB is
updated more frequently than some older tools (say, nikto), it makes sense to
replace old default lists with FuzzDB.

I'm glad that Mozilla is letting Adam publicize the project through their
blog; it's a well-known resource in the security industry, but people just
learning to conduct assessments of web applications may not know about it.

1:
[https://code.google.com/p/fuzzdb/source/browse/trunk/Discove...](https://code.google.com/p/fuzzdb/source/browse/trunk/Discovery/PredictableRes/Sharepoint.fuzz.txt)

