Introduction to Parameter Fuzzing
Parameter fuzzing is a technique used in web security to uncover hidden or undocumented parameters within web applications. These parameters, which can be part of either GET or POST requests, often reveal insights into the application's backend logic and potential vulnerabilities.
Understanding GET and POST Requests
GET Requests: Data is sent in the URL, appended after a '?' symbol. For example,
http://example.com/page?param=value
.POST Requests: Data is sent in the body of the request, not visible in the URL. This method is used for sending large amounts of data.
Step-by-Step Guide to Fuzzing GET Requests
Tool Setup: Ensure you have
ffuf
, a fast web fuzzer, installed on your system.Selecting a Wordlist: Choose an appropriate wordlist for fuzzing. For parameter names,
/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt
is recommended.Fuzzing Command:
ffuf -w /path/to/wordlist:FUZZ -u <http://target.com/page?FUZZ=value> -fs filter_size
Replace
/path/to/wordlist
with your selected wordlist path,http://target.com/page
with your target URL, andfilter_size
with the size of responses to filter out (commonly returned sizes for non-existent parameters).Below is the command and what I found in the HTB Academy Lab machine with the parameter fuzzing technique.
──╼ [★]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u <http://admin.academy.htb:34796/admin/admin.php?FUZZ=key>
Analyzing Results: Look for anomalies in the sizes and statuses of the responses, which indicate a potentially valid parameter.
Fuzzing With POST Requests
POST parameter fuzzing involves sending numerous HTTP POST requests with varied input values to a target application to discover how it processes different inputs. This method is instrumental in identifying:
Unseen parameters that could affect the application's behavior.
Potential security flaws like SQL injection points, cross-site scripting (XSS) vulnerabilities, or other input validation issues.
Prerequisites
Access to
ffuf
, a fast web fuzzer tool.A wordlist containing potential parameter names.
The target URL of a web application accepting POST requests.
Setup and Execution
Prepare the Wordlist: Ensure you have a wordlist with common parameter names. For this exercise, we use
/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt
.Configure
ffuf
for POST Fuzzing:- To fuzz POST parameters,
ffuf
must be instructed to send POST requests and include potential parameter names (and values) in the request body.
- To fuzz POST parameters,
Command Breakdown:
bashCopy code ffuf -w /path/to/wordlist:FUZZ -u TARGET_URL -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs [size_to_filter]
w
: Specifies the wordlist path.u
: Target URL.X POST
: Sets the request method to POST.d 'FUZZ=key'
: Data string to be sent in the request body, whereFUZZ
will be replaced by each entry in the wordlist.H 'Content-Type: application/x-www-form-urlencoded'
: Sets the request header to inform the server of the data format, more about the content type, go to this link.fs
: Filters out responses of a specific size to reduce false positives.
Practical Example
Let's assume we're targeting http://admin.academy.htb:PORT/admin/admin.php
and suspect there's an undocumented parameter that can reveal sensitive information.
Execute the Fuzzing Command:
╼ [★]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u <http://admin.academy.htb:34796/admin/admin.php> -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs 100
Analyze the Output: Positive hits might indicate a valid parameter name. In our example, suppose
id
returned a different response size or status code, suggesting it's a recognized parameter.
Verifying the Parameter
After identifying a potential parameter (id
in this case), the next step is to verify its function and explore its impact on the application's behavior.
Send a Test Request:
curl -X POST <http://admin.academy.htb>:PORT/admin/admin.php -d 'id=test_value' -H 'Content-Type: application/x-www-form-urlencoded'
Interpret the Response: An error message or a change in application behavior can confirm the parameter's significance and guide further testing.
Value Fuzzing
Value fuzzing is a technique used in web penetration testing to identify valid parameter values that a web application accepts. This process is crucial after identifying a potential parameter through fuzzing, as it helps uncover the specific values that could lead to sensitive information disclosure or other vulnerabilities. This guide will walk you through the process of value fuzzing, focusing on POST request parameters, using a practical example.
Understanding Value Fuzzing
Value fuzzing involves systematically sending a range of values for a specific parameter to see how the application responds. It is used to find valid values that could trigger unexpected behaviors or reveal hidden functionalities within the application.
Step-by-Step Guide to Value Fuzzing
Step 1: Prepare Your Environment
Before you start, ensure you have the following:
Access to a fuzzing tool like
ffuf
.A target application you are authorized to test.
Knowledge of a parameter you wish to fuzz for valid values.
Step 2: Developing a Custom Wordlist
Identify the Parameter Type: Understand the parameter you are fuzzing. For numeric IDs, a list of numbers might suffice, whereas other parameters might require a more complex or creative approach.
Create the Wordlist:
For numeric parameters (e.g., IDs), use a sequence of numbers. Example command to generate a list of numbers from 1 to 1000:
bashCopy code for i in $(seq 1 1000); do echo $i >> ids.txt; done
Ensure the wordlist is saved in an accessible location, e.g.,
ids.txt
.
Step 3: Execute the Fuzzing Command
Set Up
ffuf
for Value Fuzzing:Use the
w
option to specify your wordlist.The
u
option followed by your target URL, including the parameter name you're testing.The
X POST
option to specify the POST method.The
d
option with'id=FUZZ'
to indicate where to insert values from your wordlist.The
H
option to set theContent-Type
toapplication/x-www-form-urlencoded
.Optionally, use the
fs
option to filter out responses of a certain size that are not of interest.
Command Example:
bashCopy code ffuf -w ids.txt:FUZZ -u <http://admin.academy.htb>:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs [size_to_filter]
Replace
[size_to_filter]
with an appropriate value based on your observations.
Step 4: Analyze the Results
Carefully review the responses from
ffuf
. A different response size or status code might indicate a valid value.Note any potential hits for further investigation.
Step 5: Verify and Explore
After identifying a potential valid value, manually verify it using tools like
curl
or your web browser to understand its impact.curl -X POST <http://admin.academy.htb>:PORT/admin/admin.php -d 'id=[valid_value]' -H 'Content-Type: application/x-www-form-urlencoded'
Common Pitfalls and Troubleshooting
Rate Limiting: Some applications implement rate limiting, which could block your IP if too many requests are made too quickly. Adjust your request rate accordingly.
Incorrect Content-Type: Ensure the
Content-Type
header matches the expected format of the application.Parameter Handling: Some applications may process parameters differently. If fuzzing doesn’t yield expected results, consider alternative values or formats.