x0prc's notes

Fuzzing

3 min read

  • Fuzzing as the process of sending requests with various types of input to an endpoint in order to provoke an unintended result.

==Choosing Payloads==

  • SecLists, Wfuzz Extensions, FuzzDB

Detecting Anomalies

  • When input is not handled properly and causes an error, the server will often return that error in the response.
  • The HTTP response codes might all be identical, but a few requests might result in a response size that is a few bytes larger than the baseline responses.
  • This response immediately reveals that you’re interacting with an API request that does not handle input properly and that the backend of the application is utilizing a SQL database.

==With Postman==

  • Create a Postman environment in which to save a set of fuzzing variables. This lets you seamlessly use the environmental variables from one collection to the next.
pm.test("Status code is 200", function () {
pm.response.to.have.status(200);
});
  • Once you’ve cycled through a collection run, update the fuzzing value to the next variable you would like to test, perform another collection run, and compare results.

With BurpSuite

  • When you’re fuzzing, it is always worthwhile to request the unexpected. If a field expects an email, send numbers. If it expects numbers, send a string.

    • If it expects a small string, send a huge string. If it expects a Boolean value (true/false), send anything else.

  • In this case, check to see what happens if you send a valid-looking email followed by a
    fuzzing payload. That would look something like this:

    "user": "hapi@hacker.com§test§"

  • If you figure out the exact symbol or combination of symbols causing the issue,
    attempt to pair other payloads with it to see if you can get additional interesting responses.

With Wfuzz

  • The following example uses a SecLists payload called big-list-of-naughty-strings.txt, which contains over 500 values:
wfuzz -z file,/home/hapihacker/big-list-of-naughty-strings.txt
  • First, to match the Burp Suite example covered in the previous section, we will need to include the Content-Type and x-access-token headers in order to receive authenticated results from the API. Each header is specified with the option -H and surrounded by quotes.
$ wfuzz -z file,/home/hapihacker/big-list-of-naughty-strings.txt -H "Content-Type: application/
json" -H "x-access-token: [...]"

  • Next, note that the request method is PUT. You can specify it with the -X option. Also, to filter out responses with a status code of 400, use the —hc 400 option:

$ wfuzz -z file,/home/hapihacker/big-list-of-naughty-strings.txt -H "Content-Type: application/
json" -H "x-access-token: [...]" -p 127.0.0.1:8080:HTTP --hc 400 -X PUT

  • Now, to fuzz a request body using Wfuzz, specify the request body with the -d option and paste the body into the command, surrounded by quotes.

  • Finally, we use -u to specify the URL we’re attacking:

$ wfuzz -z file,/home/hapihacker/big-list-of-naughty-strings.txt -H "Content-Type: application/json" -H "x-access-token: [...]" --hc 400 -X PUT -d "{
\"user\": \"FUZZ\",
\"pass\": \"FUZZ\",
\"id\": \"FUZZ\",
\"name\": \"FUZZ\",
\"is_admin\": \"FUZZ\",
\"account_balance\": \"FUZZ\"
}" -u http://192.168.195.132:8090/api/user/edit_info
 
$ wfuzz -z file,/home/hapihacker/big-list-of-naughty-strings.txt -H "Content-Type: application/ json" -H "x-access-token: [...]" -p 127.0.0.1:8080 --hc 400 -X PUT -d "{
\"user\": \"FUZZ\",
\"pass\": \"FUZZ\",
\"id\": \"FUZZ\",
Hacking APIs (Early Access) © 2022 by Corey Ball
214 Chapter 9
\"name\": \"FUZZ\",
\"is_admin\": \"FUZZ\",
\"account_balance\": \"FUZZ\"
}" -u http://192.168.195.132:8090/api/user/edit_info

Graph View