Introduction
Fuzzing or "fuzz-testing" is the automated technique of sending mutated requests to an application to cause the application to crash or induce unexpected behavior and discover security vulnerabilities.
Burp Suite Intruder is a powerful tool for executing web application fuzzing and finding vulnerabilities that are hard to find using manual penetration testing and scanning.
Fuzzing Scenarios
Identifying Fuzzable Inputs
While performing a penetration test, a standard reconnaissance method is to navigate through the application using Burp Proxy to identify what parameters the application uses, i.e., what headers, query, and body parameters the application use. What are the endpoints it connects to?
Once you've identified the parameters, determine which is suitable for fuzzing vulnerabilities such as XSS, SQL Injection, OS Command Injection, etc. Download a suitable wordlist such as SecLists https://github.com/danielmiessler/SecLists to use as payload in the Intruder.
Burp Suite Intruder
Burp Intruder is very effective in fuzzing web applications and automating vulnerability assessment during penetration testing. Using Burp Intruder, you can specify what type of payloads should be injected in a request, which requests parameters should be tested, and how many parameters to test simultaneously.
Burp Intruder
Burp Intruder Attack Types
Sniper
The sniper attack type uses a single payload list to fuzz one predefined parameter position leaving the rest of the parameters to their default value. Sniper is most efficient in fuzzing to find XSS, Command Injection, Directory Brute force, IDOR, and SQL injection.
Fuzzing for XSS
Target the XVWA(Xtreme Vulnerable Web Application) to fuzz for Reflected XSS. Download the vulnerable machine from here https://www.vulnhub.com/entry/xtreme-vulnerable-web-application-xvwa-1,209
Navigate to the URL vulnerable to XSS and capture the request in Burp Proxy.
Intercepting request in proxy and sending it to the Intruder.
Right-click on the request and select "Send to Intruder." Clear all payload markers, then insert a new marker around the parameter of your interest in fuzzing.
Then select the payloads option and load the payload wordlist from SecLists.
Start the attack and analyze the response for reflected XSS payloads.
Send the reflected payloads to the browser for manual testing and confirm that the payload triggers XSS and the cookie is successfully read.
XSS Analysis using Grep-Match
The Grep-Match in Burp Intruder is a powerful feature to analyze the results containing specified expressions. Navigate to the URL vulnerable to XSS and capture the request in Burp Proxy.
Right-click on the request and select "Send to Intruder."
Clear all payload markers, then insert a new marker around the parameter of your interest in fuzzing.
Then select the payloads option and load the payload wordlist from SecLists or type in the payloads as shown below.
Go to the Options tab and clear the default expressions under Grep-Match to include the XSS payload to match the intruder results.
Start the attack and once the attack is completed, analyze the results and observe the Grep-Match expressions columns. Select the request and analyze the response to identify if the payload is successfully reflected, an indicator of a successful XSS attack.
Fuzzing for SQL injection
Target the OWASP Juice Shop login page to fuzz for SQL Injection. Download and Configure Juice Shop from here https://sourceforge.net/projects/juice-shop
Capture the login request in the Burp Proxy and send it to the Intruder.
Clear the payload positions and mark the email parameter for SQL Injection tests.
Load the SQL Injection payloads from Seclists.
Start the attack and analyze the response.
In the results, examine the response with high length in bytes to identify the possible successful SQL Injection attack. Send that request through the browser for manual testing and confirm that the payload causes SQL Injection and login is successful.
Battering ram
The Battering ram attack type places the same payload value in all positions and uses only one payload set. It loops through the payload set and replaces all marked positions with payload values.
Bruteforce Attack
The target selected for the Bruteforce attack is Acunetix Acuform http://testasp.vulnweb.com/ application. We are going to perform a password brute force on the login page.
Capture the acuform login page request in Burp Proxy and send it to the Intruder.
Select the attack type as Battering ram and clear all the markers. Add the marker around the Password parameter value.
Load the password wordlist from Seclists as payloads for brute-forcing passwords.
Start the attack and analyze the results. Examine the length column and Status column to notice for successful login. Send that request through the browser for manual testing and confirm the login is successful.
Pitchfork
The pitchfork attack type uses one payload set for each position and the first payload in the first and second payload in the second positions. This attack type is proper if you have data items that belong together, for example, username and password combination, where you load the usernames in the 1st payload set and the corresponding passwords in the second payload set. Pitchfork sends the combination of each username/password in the fuzzing request.
Bruteforce Attack
The target selected for the Bruteforce attack is Acunetix Acuform http://testasp.vulnweb.com/ application. We are going to perform a password brute force on the login page.
Capture the acuform login page request in Burp Proxy and send it to the Intruder.
Select the attack type as Pitchfork and clear all the markers. Add the markers around the Username and Password parameter values.
Load the username and password wordlists from Seclists as payloads for brute-forcing.
Start the attack and analyze the response for the correct username and password combination.
Examine the length column and Status column to notice for successful login. Send that request through the browser for manual testing and confirm the login is successful.
Clusterbomb
The cluster bomb attack type uses a different combination of payloads, putting 1st payload in the first position and the 2nd payload in the second position. But when it loops through the payload sets, it tries all combinations. For example, if you have 50 usernames and 50 passwords, this attack will perform 2,500 requests.
Bruteforce Attack
Target the XVWA(Xtreme Vulnerable Web Application) to fuzz for brute force attack. We are going to perform a password brute force on the login page. Capture the request in Burp Proxy and send it to Intruder.
Select the attack type as Clusterbomb and clear all the markers. Add the markers around the Username and Password parameter values.
Load the username and password wordlists from Seclists as payloads for brute-forcing.
Start the attack, analyze the response for the correct username and password combination, and examine the length and status columns to notice for successful login. Send that request through the browser for manual testing and confirm the login is successful.
Payloads
Register for instructor-led courses today!