.

Web App Fuzzer

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Jan 21, 2013 10:02 am

Web App Fuzzer

Hi everyone,

Just a quick question: What web app fuzzer do you use? I know there are many of them, but I was wondering which one you prefer and why.

Thanks
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Mon Jan 21, 2013 10:05 am

Re: Web App Fuzzer

BurpSuite primarily.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Jan 21, 2013 10:40 am

Re: Web App Fuzzer

+1

We've had Accunetix and Hailstorm, but I hate both. I always end up using Burp because it gives me the most manual control. I still think web app testing is 80% human.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Jan 21, 2013 10:44 am

Re: Web App Fuzzer

cd1zz wrote:+1

We've had Accunetix and Hailstorm, but I hate both. I always end up using Burp because it gives me the most manual control. I still think web app testing is 80% human.


+2

I often find myself running Acunetix just because we have it. I've yet to get results even remotely comparable to what I do with Burp.
The day you stop learning is the day you start becoming obsolete.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Jan 21, 2013 10:45 am

Re: Web App Fuzzer

Accunetix has pretty reports :)

Clients love pretty.
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Mon Jan 21, 2013 10:54 am

Re: Web App Fuzzer

I have also tried w3af, but have not had much luck with it. Recently I have been playing with ZAP(OWASP).

Not entirely a fuzzer, but also been looking at Fiddler.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Mon Jan 21, 2013 12:11 pm

Re: Web App Fuzzer

Remember my mantra: "Always be cynical. Use more than one tool for each job."

That said, I would recommend BurpSuite Pro be added to your list.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Jan 21, 2013 2:03 pm

Re: Web App Fuzzer

Guess which one I was using... BurpSuite.

I wanted to know if someone was using another one and for what reason...

But with BurpSuite, you basically learn about one tool and you can do a whole bunch of things with it.

Thanks for your answers.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Jan 21, 2013 7:50 pm

Re: Web App Fuzzer

Acunetix and Burp Suite Pro (the pro version makes quite a difference)  ;) As Grendel said in this post, but also countless other times, don't rely on one single tool, use multiple. Acunetix has its issues, but mostly it's better than most other automated scanners.
PS: I don't consider Burp an automated scanner, even though it has one, but the amount of "tools" it includes is amazing, meaning I use it primarily for manual attacks, while using its scanner too.
I'm an InterN0T'er

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software