untidy logo
Table of Contents
About untidy News Prerequisites Install Quickstart License Download Author
Support This Project Open Source

Bonsai Information Security

untidy - XML Fuzzer



About untidy

untidy is general purpose XML Fuzzer. It takes a string representation of a XML as input and generates a set of modified, potentially invalid, XMLs based on the input. This project is currently hosted at SourceForge. For further information, you may also want to visit untidy SourceForge project page.

News

xml feed


  • beta 2 is out! - Tue, 05 Jun 2007 13:02:41 GMT
      • The second beta of the XML fuzzer is out, I want to thank Dirk Loss for his _very_ detailed bug reports and his help. (0 comments)

  • First release - Wed, 20 Dec 2006 19:34:09 GMT
      • untidy was released to the public today. This is a beta version, bug reports are welcome in the bug section of the sourceforge project homepage. New fuzzing functions can be added with ease, contributions can be made by sending me an email. (0 comments)

Prerequisites

There are no prerequisites for running untidy. I have only tested it with python 2.4 ; so maybe you will find bugs when using it with a different version of python.

top

Install

Just download the distribution file of the project and decompress it .

top

Quickstart

A sample code that invokes the xml fuzzer can be found in untidy.py, this is it:

import untidy

xmlString = '<xml attr1="a"><a>f00!</a></xml>'

xf = untidy.xmlFuzzer()
xf.setRepetitions( [3,30,60] )
iter = xf.fuzz( xmlString )

for i in iter:
     print i

This code will print a lot of XML output to the console, if you really want to use untidy for something usefull you should have to change the "print i" line with something that sends the XML to a server you are testing, or saves every fuzzed XML to a different file. Have fun :)

top

License

untidy is an Open Source software package. It is licensed under the GNU General Public License Version 2.

top

Download

xml feed

  • untidy_ beta 2

    •     Released: Tue, 05 Jun 2007 14:17:07 GMT - Download

top

Author

Andrés Riancho is an information security researcher and founder of Bonsai, where he is mainly involved in Penetration Testing and Vulnerability Research. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer.

His main focus has always been the Web Application Security field, in which he developed w3af a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).

top