Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

in this file https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/os-cmd-execution/shell-delimiters.txt the ^ operator is not intended for commands; I'm not sure why is it included as a shell delimiter ?

Can someone please explain?

The ability to randomize the payloads would be beneficial. For example when fuzzing a numerical id I used the expression [1-9]\d{2,4} which generated a predictable sequence of

• 100
• 1000
• 10000
• 10001
• 10002
• ...

I hope you see some merit in this enhancement request.

Thanks

A number of AngularJS sandbox escape strings have been published recently that can lead to XSS. Can they be added to the fuzzdb? http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

I was searching for the uber.gif there and to my surprise i noticed it isn't ubersized as i remembered so i took a look at the directory and all the images in there contains the github webpage source code of the page hosting the image at SecLists :)

I'm now going to make a pull request for this one soon, i'm also going to add two poc-gif-php variations that are present in the SecLists repository as well.

Probably nothing that you can do on your end, but I wanted to let you know that Firefox 47.0.1 and Firefox 48 are blocking download of master.zip.

Firefox 47.0.1 states This file may contain a virus or spyware.

Firefox 48.0 states This file contains a virus or malware.

I believe that Firefox uses Google's Safe Browsing API to handle this, but not sure how to report false positives.

It seems seems very redundant a distribution used for fuzzing to have a .fuzz.txt in most file names. Can we clean that up by changing all files from .fuzz.txt back to just .txt? What was the reason for this change? It seems inconsistently applied across the folders.

fuzzdb/wordlists-user-passwd/oracle/_oracle_default_passwords.txt

Strip useful data out of comma delim file and make .fuzz.txt files with username and passwds, they should be a paired set of files.

Added some services found on Oracle SOA Suite 11g 

Jacco van Tuijl

Original issue reported on code.google.com by [email protected] on 18 Apr 2014 at 10:09

Attachments:

• OracleAppServer.fuzz.txt.patch

It seems that https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/path-traversal/traversals-8-deep-exotic-encoding.txt currently has 887 entries. When doing an:

cat traversals-8-deep-exotic-encoding.txt | sort | uniq | wc -l

we're down to 652. This seems to be caused by duplicated entries like e.g.:

https://github.com/fuzzdb-project/fuzzdb/blob/2863f7a/attack/path-traversal/traversals-8-deep-exotic-encoding.txt#L8

https://github.com/fuzzdb-project/fuzzdb/blob/2863f7a/attack/path-traversal/traversals-8-deep-exotic-encoding.txt#L263

https://github.com/fuzzdb-project/fuzzdb/blob/2863f7a/attack/path-traversal/traversals-8-deep-exotic-encoding.txt#L375

Whats the reason for having those duplicated entries and doesn't it make sense to remove duplicated entries from the list?

Added SAP URLs from Metasploit SAP URL Scanner: sap_icm_paths.txt

Original issue reported on code.google.com by [email protected] on 23 Apr 2014 at 4:14

Attachments:

• SAP.fuzz.txt.patch

What steps will reproduce the problem?
1. In Mozilla - open 
fuzzdb-1.09.tgz\fuzzdb-1.09\attack-payloads\sql-injection\detect\docs\docs.sql_i
njection_cheetsheet.html 

What is the expected output? What do you see instead?
Expect to a harmless document.

File has characters that cant be read. If you click through and open - you 
start getting 'security vulnerability detected'  popups.

What version of the product are you using? On what operating system?
Tarball - fuzzdb-1.09.tgz

Please provide any additional information below.
Could be something else on my machine, but just in case, submitting this

Original issue reported on code.google.com by [email protected] on 19 Feb 2013 at 5:08

This PR corrects misspellings identified by the check-spelling action.

The misspellings have been reported at https://github.com/jsoref/fuzzdb/commit/eee35105074eae0af8a41a28bb4e0b8f1eb02feb#commitcomment-55978375

The action reports that the changes in this PR would make it happy: https://github.com/jsoref/fuzzdb/commit/d65636fceb7632f0cbece179fd7cbd53265fe54c

Note: this PR does not include the action. If you're interested in running a spell check on every PR and push, that can be offered separately.

For the sake of argument, all corrections were automatically suggested by Google Sheets (advice vs advise was thrown in by a human other than me -- in principle this is a spell check PR, not a grammar PR, and I don't have a tool for grammar, although it is theoretically possible to try to talk to grammarly.com) and no validation was made as to whether the internet or any other entities agree with the validity. I claim that I am intentionally not looking too closely at the content.

This means that it's likely some scripts may suffer from API or ABI breaks. I don't have any sympathy for the consumers, but I'm more than happy to skip files / drop hunks if that means other portions of this PR will be acceptable.

We're updating ZAP to use less controversial terminology terms: https://github.com/zaproxy/zaproxy/issues/6029 Are you ok accepting a PR which changes white / black list terms in_documentation to allow / deny lists? No payloads will be updated, just the docs. We import fuzzdb when there are changes changes so if we just fix this in ZAP then it will just get overwritten next time..