A spike script tells SPIKE what requests to send. In the example below I'm crafting an http request to send to a test web server, except that the query value will be fuzzed with a bunch of random data.
Example:
s_string("GET /?q=");
s_string_variable("QUERYVALUE");
s-string(" HTTP/1.1\r\n");
Kick off SPIKE...
./generic_send_tcp TESTSERVER 80 ~/scriptfile.spk 0 0
And watch the requests fly out! Then take a look at your application logs and anytime the website crashed or generated scarey buffer overflow, null reference, database, or other errors. ... make sure to review that part of the code and patch your code so that it handles the fuzz data in a more proper manner. Your website should be able to gracefully handle any data thrown at it.
Might be good to tail the apache access logs...
tail -f /var/log/apache2/access.log
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment