Find me if you can Smart fuzzing and discovery! presented at OWASPindia 2012

by Shreeraj Shah,

Summary : Vulnerability would say “find me if you can”. This problem can be solved by using smart fuzzing and stopping attack agents from potential exploitation. Web applications are no longer using simple streams like querystring or typical name-value pairs but migrated to JSON, XML, AMF and various other structures. In this scenario attacker and hackers can be a step ahead if they have deployed better fuzzing then what you have.
Fuzzing is no longer a typical signature driven but it is smart and artificial intelligent which can analyze behavior of the application as well. It allows detection of next generation SQL injections which are over JSON, XML, SOAP and AMF. Injections like XPATH, Blind SQL, LDAP etc. can be hard to detect with typical fuzzing but when using next generation approach it ends up discovering potential vulnerabilities.
HTML5 is on the rise and it needs client side fuzzing within the browser to exploit DOM. In this talk we will be covering approach of fuzzing which is behavior centric with some interesting tools and live demos.