MassWeb: Web Fuzzing Speed Demon presented at CarolinaCon11 2015

by Alejandro Caceres, Chris Koepke,

Summary : MassWeb is extremely fast distributed web application fuzzing framework to scan massive amounts of websites at once. It is the blood and guts of the latest version of PunkSPIDER, an open source web vulnerability scanner and searchable repository of vulnerabilities discovered across the Internet (presented at ShmooCon 2014, DEF CON 22, and more​)​.
Massweb is extremely fast web application fuzzing made simple. It sports a Python interface and allows for easy crawling and discovery of new targets, customization of payloads, multithreaded HTTP requests and is friendly to use over a distributed scanning cluster. In 2014, we used MassWeb over a Hadoop cluster to scan a large subset of the Internet's web applications for vulnerabilities over a span of a few very interesting days and found several intriguing results to say the least. The short story is that there's a lot of vulnerable web apps out there and web admins hate being scanned by MassWeb, the long story (including legal threats!) and raw numbers will be presented at this talk. This presentation will serve as both the unveiling of MassWeb as an open source distributed web app fuzzing tool and an analysis of those results.