Fuzzing Web Application
- Injecting random data into applications have varying effects and may reflect a different output for each input.This trial-and-error method could lead the attacker to vulnerabilities that have not beenprevioussly identified in the application.
/dev/randomis a special file in Linux that generates random data.
Types of fuzzing techniques:
- Mutation fuzzing
- Generation fuzzing
Adding intelligence to the fuzzer prevents the data from been rejected as in the case of Mutation fuzzing.Generation fuzzing uses a specification or RFC,which has detailed information about the format.An intelligent fuzzer works as a true client injecting data and creating dynamic replies based on response from the application.
Some of fuzzing`s most common uses are as follows:
- Network protocal fuzzing
- File fuzzing(FileFuzzand SKIPEfile are two file fuzzing tools)
- User interface fuzzing
- Web application fuzzing
- Web browser fuzzing(Mangleme and Crossfuzz are two well-known browser fuzzers)
Some of the most mature and widely used frameworks with fuzzing are as follows:
Fuzzing input in web application:
Request URI:A request URI might include the following parameters:
- Fuzzing the name parameter could result in privilege escalation by changing the userid value to the ID of a user with administrative rights.At the end,fuzzing the value parameter could reveal XSS,command injection ,and SQL injection flaws.
Headers:The following header fields should be fuzzed to find if they can be exploited:
- Accept language
- SQL injection ,cross-site sccripting,command injection,and buffer overflow flaws could be found by fuzzing the header fielsds.By fuzzing the cookie value,the hacker canpredict session IDs of other user and hijack sessions.If additional cookies are stored to share data between the server and the client,it should be fuzzed to find out if it`s vulnerable to any SQL or XSS flaw.
Form field:A web form containing different parameters should be thoroughly fuzzed to test the input validation implemented by the application.The application developer should set correct bound check for every field and reject data beyond it .For example,an input field for the PIN code should only accept numbers.The application should also discard any type of script tags in the input that could result in an XSS flaw.
Web application fuzzers in Kali
- Burp Suite
In Burp:The Brep-Match and Grep-Extract options are userful when dealing with the response from the server.It can match specific values returned by the server such as SWL errors and internal functions and flag that request.Using the Grep-Extract option,you can pull out specific values of interest from the response.