-->
Home
Penetration

What is Web Fuzzing: How can Web Fuzzing useful in Pentest?


Fuzzing is generally finding bugs/issues using automated scanning with supplying unexpected data into an application then monitoring it for exceptions/errors/stack traces. The motive is to supply superfluous data to trigger exceptions and see if it could lead to issues. 

Fuzzers work best for discovering vulnerabilities that can be exploited by buffer overflow, DOS (denial of service), cross-site scripting, and SQL injection. These schemes are often used by malicious hackers intent on wreaking the greatest possible amount of havoc in the least possible time. Fuzz testing is less effective for dealing with security threats that do not cause program crashes, such as spyware, some viruses, worms, Trojans, and keyloggers.

Although fuzz testing is simple, it offers a high benefit-to-cost ratio and can often reveal serious defects that are overlooked when software is written and debugged. It cannot provide a complete picture of the overall security, quality, or effectiveness of a program, however, and is most effective when used in conjunction with extensive black box testing, beta testing, and other proven debugging methods.

Fuzzing is since several years and has been done in different ways. The term "fuzz" originated from a fall 1998 class project in the graduate Advanced Operating Systems class (CS736), taught by Prof. Barton Miller at the University of Wisconsin.

Fuzzing Web Applications:

Web application fuzzing is basically fuzzing web applications to expose common web vulnerabilities which are mentioned in OWASP  Top 10.

Steps:

  • Decide the web app type/tech stack (php,aspx,jsp).
  • Check data injection points (input points).
  • fuzzing payloads (fuzzing dictionaries, encoded payloads, superfluous data).
  • Observing the application.

Tools:

  • FFUF
  • Wfuzz
  • Boofuzz
  • Owasp Zap
  • Burp Suite

Web App Fuzing:

  • FFUF

FFUF is one of the latest and by far the fastest fuzzing open-source tool out there. But before we begin, let’s first try to understand what fuzzing really is.

Fuzzing is the automatic process of giving random input to an application to look for any errors or any unexpected behavior. But finding hidden directories and files on a web server can also be categorized under fuzzing. 

The tool is versatile and can be used for a variety of purposes. Some of its use cases are:
  • General Directory discovery with the option to fuzz at any place in the URL.
  • VHOST discovery without DNS Records
  • Fuzzing using various HTTP methods.

  • Wfuzz

This simple concept allows any input to be injected in any field of an HTTP request, allowing to perform complex web security attacks in different web application components such as parameters, authentication, forms, directories/files, headers, etc.

Wfuzz is more than a web content scanner:

  • Wfuzz could help you to secure your web applications by finding and exploiting web application vulnerabilities. Wfuzz’s web application vulnerability scanner is supported by plugins.
  • Wfuzz is a completely modular framework and makes it easy for even the newest Python developers to contribute. Building plugins is simple and takes little more than a few minutes.
  • Wfuzz exposes a simple language interface to the previous HTTP requests/responses performed using Wfuzz or other tools, such as Burp. This allows you to perform manual and semi-automatic tests with full context and understanding of your actions, without relying on a web application scanner underlying implementation.

  • Boofuzz

Boofuzz is a fork of and the successor to the venerable Sulley fuzzing framework. Besides numerous bug fixes, boofuzz aims for extensibility. The goal: fuzz everything.

Features

Like Sulley, boofuzz incorporates all the critical elements of a fuzzer:
  • Easy and quick data generation.
  • Instrumentation – AKA failure detection.
  • Target reset after failure.
  • Recording of test data.
  • Much easier install experience!
  • Support for arbitrary communications mediums.
  • Built-in support for serial fuzzing, ethernet- and IP-layer, UDP broadcast.
  • Better recording of test data – consistent, thorough, clear.
  • Test result CSV export.
  • Extensible instrumentation/failure detection.
  • Far fewer bugs.
Source:- https://github.com/jtpereyda/boofuzz

  • Owasp Zap

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between the browser and web application, modify the contents if needed, and then forward those packets to the destination. It can be used as a stand-alone application, and as a daemon process.

  • Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. It is the most popular tool among professional web app security researchers and bug bounty hunters. Its ease of use makes it a more suitable choice over free alternatives like OWASP ZAP. Burp Suite is available as a community edition which is free, a professional edition that costs $399/year, and an enterprise edition that costs $3999/Year. This article gives a brief introduction to the tools offered by BurpSuite. If you are a complete beginner in Web Application Pentest/Web App Hacking/Bug Bounty, we would recommend you to just read through without thinking too much about a term.

Source:- http://portswigger.net/burp/

Post a Comment