Fuzzing Guide to Finding Security Vulnerabilities with BurpSuite

In previous guides on iguru, we have used the Burp Suite for various purposes. To test, evaluate and hack online applications. BurpSuite is one of a set of tools that each hacker/pentester/bug bounty hunter he should know!

Burp Suite is an excellent web site tool used by many pentesters to check for vulnerabilities in websites and web applications.

The Burp Suite works with detailed knowledge of the application of an HTTP protocol. This tool works through an algorithm that can be configured by settings and can generate malicious HTTP attacks that a hacker uses.

The Burp Suite is especially useful for discovering vulnerabilities such as SQL injections and cross-site scripting.

bugs

In this guide, we will use BurpSuite to scan a web application for vulnerabilities. Fuzzing is the process of sending random data to an application in order to crash the application and thereby identify vulnerabilities (if any). If we can crash an application with some random input, we can then identify the cause of the crash and potentially use it to exploit the application. So, for example, if we send data that is too large for the application to handle and the application crashes, this may indicate a possible vulnerability buffer overflow.

So we will use BurpSuite to send specially formatted input to a web application in an attempt to discover SQL injection and XXE vulnerabilities. It's a great technique for finding vulnerabilities for bug bounty!

Step #1: Open Kali and OWASP-BWA

The first step, of course, is to start Kali and OWASP-BWA.

burp

Now, open your browser and click on the Mutillidae II application. This should open the app as shown below.

burp1

 

Step #2: Open BurpSuite

Then launch BurpSuite in Kali.

burp2

In your browser open it OWASP2013->Injection (SQL)->SQLi-Bypass Authentication ->Login.

burp3

This will open a screen similar to the one below.

burp4

Now, with Intercept ON (and browser proxy enabled) in the proxy server in BurpSuite, type any random username and password. I used "test" and "complexpassword". The proxy will catch or intercept the request as shown below.

Right click and select Send to Intruder

burp5

Now, click on the tab Intruder at the top of the page. This opens Intruder showing 4 tabs, Target (Target), Stances (Seats), Payloads (Payloads) and Options (Choices).

Select Positions. Intruder will highlight various possible locations of the payload. Click the button Clear (Clear) on the right side. Now highlight the field username and click the button Add.

burp6

Then click on Payloads. Here you should add a payload or a list of fuzzing strings.

When fuzzing, we have several options for input strings. We could send millions of random inputs that could take hours or days, or we could send specially configured inputs that look for a specific type of vulnerability. Here we are specifically looking for SQLi vulnerabilities, so let's use a smaller and specific list of SQLi inputs.

We can go to the Kali terminal and search for fuzzing string wordlists by typing:

kali > locate wordlists | grep fuzzy

burp7

This will find all word lists and filter for the word “fuzz”. There are many, but let's use one specifically for SQL, such as usr/share/wfuzz/wordlists/Injections/SQL.txt.

This list contains many strings that can potentially cause SQL injection. Of course, you can use any of these word lists to find vulnerabilities, but this one looks specifically for SQLi errors.

On the screen payload, click the button Load (Load) and enter the path to the file SQL.txt.

burp8

Finally, click the button Start attack and BurpSuite will start testing each of the strings in the username or any selected field.

burp9

To identify potential SQL Injection vulnerabilities in this form in this application, look for anomalies in Status and the size of Responses. Almost all of these answers are 50773 long, but several are longer. Longer responses are a possible indication of a successful SQLi attack.

Step #3: Fuzzing for XXE vulnerabilities

We can do the same type of fuzzing to check for XXE vulnerabilities, but with an XML-specific input list.

To check for XXE vulnerabilities, go to the XML validator in Mutillidae.

burp10

With the window open as below and Intercept ON in the BurpSuite proxy, enter any input into the window XML and click Validate XML.

burp11

Ο proxy doescatch" the request as shown below.

burp12

Now, right click on the proxy and select “Send to Intruder". Open Intruder and clear the slots as you did above. Now, highlight your input and click the button Add.

burp13

Then click the tab Payloads and load the XXE fuzzing file from the directory wfuzz wordlist (other XXE fuzzing strings are available at /Seclists/Fuzzing/XXE-Fuzzing.txt).

burp14

Note that the directory contains XML-related strings.

burp15

Finally, click the “Start attack".

burp16

Your Burpsuite will attempt to send these XML strings to the validator. As with SQL injection fuzzing above, search variations on the state and length of the bug to find anomalies that would indicate a potential vulnerability.

Summary

Fuzzing can be a powerful technique for finding hidden vulnerabilities in web applications. BurpSuite enables us to locate almost any form in a web application and send specially configured inputs to the form.

By then reviewing the results for anomalies, we can identify potential vulnerabilities. BurpSuite can be used to scan every input in a form for vulnerabilities.

 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.096 registrants.
Fuzzing, BurpSuite, hacking, pentest

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).