鬼仔's Blog

软件主页：http://powerfuzzer.sourceforge.net/ (via tr4c3)

Powerfuzzer is a highly automated web fuzzer based on many other Open Source fuzzers available (incl. cfuzzer, fuzzled, fuzzer.pl, jbrofuzz, webscarab, wapiti, Socket Fuzzer) and information gathered from numerous security resources and websites. It is capable of spidering website and identifying inputs.

Don’t have a clue what a Fuzzer/Fuzz testing is ? Not a problem, read on here

Currently, it is capable of identifying these problems:
– Cross Site Scripting (XSS)
– Injections (SQL, LDAP, code, commands, and XPATH)
– CRLF
– HTTP 500 statuses (usually indicative of a possible misconfiguration/security flaw incl. buffer overflow)

Designed and coded to be modular and extendable. Adding new checks should simply entail adding new methods.

Screenshots made during demo tests against ACUNETIX test website testphp.acunetix.com. Myself, as well as this project/website is not in affiliation with ACUNETIX in any shape and form.

Main Screen

Scanning

Scanning with finding

HTTP POST form scanning

Final report with findings

Project news
06/21/2008 – Powerfuzzer v1 BETA available. Several bugfixes (see CHANGES.txt). Improved BASIC AUTH and Cookie support.

02/22/2008 – Yay … webbsite is ready. Feel free to dl the ALPHA version, some features don’t work quite well yet. Need volunteers to help. Please contact me if you’re intersted.

TODO
IMHO, In order of importance:

-add NTLM support

-add custom check field to GUI (you can specify parameters that should be passed to fuzzer module in the GUI interface)

-modularize checks perfomed by the scanning engine, so that users can add their customized checks/modules/plugins

-add threading to scanning engine (for super fast scanning)

-improve GUI/reporting

-documentation/tutorials

Talks
Yapa … Yapa …. Yapa

FAQ

Documentation
We are actively working on the documentation.

Prerequisites and Installation
It is platform independent, hence powerfuzzer should run on Windows/Linux/Unix (Tested on Windows XP SP2 and Linux). Install Python (Testted with Python 2.5), wxPython (Tested with wxPython 2.8), HTML Tidy Library, ctypes, TidyLib Python wrapper and you’re ready to go.

To start using the application unzip the package and double click, execute powerfuzzer.py

Mailing List
None yet

License
powerfuzzer is an Open Source software package. It is licensed under the GNU General Public License Version 2.

Download
You can download a release package with source code:

Here
Author(s)
The project leader is Marcin Kozlowski (marcinguy ‘@’ yahoo.com). He is an active contributor and researcher to Open Source projects and information security arena (tools, modules, exploits, research)