2

I'm trying to do some security testing for my server(not a web server) which is sitting behind a nginx proxy. To start with it, I've done some fuzz testing using Sulley. As expected, most of the fuzzed requests were handled by nginx. I also tried using BED tool but since my server expects request on a specific URI(http://host/(uri)), I was not able to make the best use out of it. (is that possible?)

My question- is there any further scope of doing fuzz testing(which I might have missed)? If yes, then what tools can be used?

I'm also looking for a tool for doing penetration testing. Thanks in advance for your inputs.

pragmatic
  • 23
  • 1
  • 4
  • 1
    Shameless self promotion plug. Try using doona instead of BED. In this case you will be fuzzing the proxy/web server. You might wish to clarify your objective and preferred outcomes. For web application testing burp suite seems to be the most popular tool. – wireghoul Feb 13 '15 at 12:03
  • @wireghoul Does doona allows passing uri with hostname? Objective is to send fuzzed requests to my actual server and see how it handles it (crash?). I'm able to send requests with fuzzed user-agent field and few other HTTP header fields. But since it is NOT a web application, is there any way I can exploit anything here? – pragmatic Feb 13 '15 at 13:34
  • 1
    Its a protocol fuzzer, it will send many different requests trying to fuzz all different fields of a HTTP requests. Including the Host header. Why do you think the hostname is necessary? You could also look at the radamsa plugin for burp for other HTTP fuzzing options. – wireghoul Feb 13 '15 at 19:53
  • Thanks for your input. Unfortunately I can't upvote your comment (low reputation) – pragmatic Feb 16 '15 at 09:25

1 Answers1

1

I agree that Burp suite is a good tool, but there are a lot of different types tools to perform penetration testing. Tools are useful for pentesting but you need to understand the application and environment. Then you can select the right tools for the job.

You indicated that your server isn't a web server, but is behind a nginx proxy, so what kind of server is it? Understanding the environment and "attack surface" is the first step.

Once you understand that, you need to look for vulnerabilities and attack vectors. Once you find a vulnerability, then you need to understand if it is exploitable.

Much of this can't be done by a tool.

Check out "Engebretson, Patrick. The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy, Second Edition. Syngress Publishing. © 2013" for a good overview of pentesting.

COL Wotohice
  • 503
  • 2
  • 10