I was talking with a guy the other day and he said something along the lines of -- "Sometimes there are bad things that happen on the Internet."  I replied:  "There are bad things happening on the Internet ALL THE TIME."

Fast forward to today -- I'm working on a project and I need to parse through the Apache access.log file, create a unique list of IP addresses, perform an nslookup on each of the IP addresses, ignore the addresses that do not resolve, and I need to spit out the list of addresses that resolve. 

Not that I'm shocked but while writing this up and using cat to show the first part of the log for this screenshot, I see mostly malicious traffic hitting this server:

As a hacker security professional, I'm more of a generalist than a specialist and while I'm ok at web application security, I wouldn't tout my prowess in that area. 

A few weeks ago, I took a class specific for web app security because that area is so vast, I felt like I wanted to move further up the line by hiring a professional to teach me some things I don't know.  Two areas that I've spent little time banging around on are Node and Mongo.  Both were discussed in class but briefly.  To continue my education, I've been playing around with vulnerable Node apps on Github.  

NodeGoat is a vulnerable application built for the specific purpose of education and while you could go the route of using the Docker image, I would suggest going the manual installation avenue.  At least for me, I find it helpful to see both the front and the back-end.  The installation is not complicated.

According to the Interwebs, fuzzing involves sending random data to software until something happens or something reveals itself.  Fuzzing a web server is not much different really other than I wouldn't call it random data.  We're essentially taking lists of words, throwing them at the web server in different ways, and we're looking at the response.

In my opinion, fuzzing is an art form because it's a matter of using the right tool, with the right list, in the right way, to get the right response.