Last week, I attended the OWASP (Israel) mini-conference, which included some very interesting presentations (one of which was our own Overtaking Google Desktop).
One specific presentation that caught my attention was "Fuzzing in Microsoft and FuzzGuru framework". The presentation was given by John Neystadt, Microsoft’s lead program manager for the Forefront Edge product (aka ISA server).
Other than the regular "Fuzzing 101" slides, John presented a fuzzing framework/tool that was written in-house at Microsoft, called "FuzzGuru".
Unlike most fuzzers I’ve seen and experimented with before, FuzzGuru seemed like a very thorough and well designed fuzzing framework, although it is not perfect, and lacks some trivial web-oriented must-have-features that exist in modern web application scanners (mainly Session Management).
In addition to FuzzGuru, John presented a method of using FuzzGuru alongside code coverage tools, to gain higher fuzzing success rates - a very interesting approach, which has intrigued me for quite some time now, ever since Fortify presented their Tracer tool.
I think that it would be a great asset to the community, if Microsoft actually opened this tool to the general public.
Comments