untidy is general purpose XML Fuzzer. It takes a string representation of a XML as input and generates a set of modified, potentially invalid, XMLs based on the input. This project is currently hosted at SourceForge. For further information, you may also want to visit untidy SourceForge project page.
The second beta of the XML fuzzer is out, I want to thank Dirk Loss for his _very_ detailed bug reports and his help.
untidy was released to the public today. This is a beta version, bug reports are welcome in the bug section of the sourceforge project homepage. New fuzzing functions can be added with ease, contributions can be made by sending me an email.
There are no prerequisites for running untidy. I have only tested it with python 2.4 ; so maybe you will find bugs when using it with a different version of python.top
Just download the distribution file of the project and decompress it .top
A sample code that invokes the
xml fuzzer can be found in untidy.py, this is it:
xmlString = '<xml attr1="a"><a>f00!</a></xml>'
xf = untidy.xmlFuzzer()
xf.setRepetitions( [3,30,60] )
iter = xf.fuzz( xmlString )
for i in iter:
Andrés Riancho is an information security researcher and founder of Bonsai, where he is mainly involved in Penetration Testing and Vulnerability Research. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer.
His main focus has always been the Web Application Security field, in which he developed w3af a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).top