FUZZING

This article is for educational purpose. Do not use against any web app unless you are authorized.

What is Fuzzing?

Fuzzing is using security tools to automate input of data into websites or software. Fuzzing is extremely effective and can also be used to perform actions like finding hidden files/folders, trying username and password. Applications that are built poorly are often unable to handle data when overwhelmed. We can fuzz those apps to trigger an error condition which will be abused by a penetration tester or a bounty hunter.

GOBUSTER: this is a tool that helps discover web directories. We could use this too to bruteforce paths to check for valid directories. Let’s look at the tools, first we’ll check the help menu to list several command we could use when running this awesome tool.

gobuster -h

Lets see an example using gobuster

> gobuster dir -u <target site> -w <path to wordlists>

dir: use directory/file brute forcing

-u: specify the url to bruteforce

-w: specify wordlists to use for this action

To include an extension when bruteforcing a web directory simply do this

> gobuster dir –u <target site> -w <wordlist> -x <extensions>

Here the –x flag specify that you want to add extension when bruteforcing.

You can tryout other commands yourself, finding it difficult? Check out the online man page http://manpages.ubuntu.com/manpages/cosmic/man1/gobuster.1.html for this tool.

WFUZZ:

The premise behind wfuzz is simple. Occasionally you want a bit more information about how much data something within a web application returns. This could be anything from a file, a response code (i.e. 404 meaning the URL doesn’t exist) or the parameters used in a form.

To view a list of options available when using wfuzz, visit this site https://manpages.debian.org/buster/wfuzz/wfuzz.1.en.html to view some more advanced options that are available .

An example using wfuzz will be fuzzing an application to find correct login credentials to a login form.

> wfuzz –c –z file,<wordlist> -d <parameter to fuzz> -u <url with the login form>

Now wfuzz is running which will now iterate through the wordlist and replace “FUZZ” values specified in the parameter, hopefully giving us the correct user name and password for the login site.

Another example would be testing a note taking App using wfuzz.

> wfuzz –c –z file,<wordlist> — hw <number of words to hide> <site to test>:80/FUZZ/note.txt

Its important to know you can FUZZ any part of the url and also can test any parameter if you don’t know them.

PS: you can do more with these tools states in this post. Do not limit yourself to just these. Make more research on them and practice on your lab.