Burp Suite for Pentester – Fuzzing with Intruder (Part 1)
Whether it’s guessing up a login credential or opting a valid payload for a specific vulnerability, both of these things are time-consuming and require a number of permutation and combination to built up a dictionary for them, if done manually. But what, if all these things are done with some simple click and you just need to sit and analyze the outcome it drops out?
Today in this article, we’ll learn the most common technique i.e. “fuzzing” that has been used since decays in order to deface a web-application, by exploiting some vulnerabilities over at the web-application with a list of pre-defined payloads that are offered by the burpsuite’s intruder tab.
Table of Content
- Introduction to Fuzzing
- What is Fuzzing?
- How Burpsuite works as a Fuzzer?
- Fuzz with Burp’s built-in Payload lists.
- Fuzzing for Login credentials.
- Fuzzing for SQL Injection
- Fuzzing to find Hidden Files
- Fuzz to find Restricted File Upload Extensions
Introduction to Fuzzing
What is Fuzzing?
Fuzzing or Fuzz Testing plays a vital role in software testing procedures. It is a technique which is used for find bugs, errors, faults, and loophole by injecting a set of partially – arbitrary inputs called fuzz into the program of the application which is to be tested. A Fuzzer takes structure inputs in a file format to differentiate between valid and invalid inputs.
However, the Fuzzer tools are best in identifying vulnerability like SQL injection, buffer overflow, Cross-Site Scripting, OS command injection and many more.
How Burp Suite work as a Fuzzer?
Burp Suite comes with an integrated HTML Fuzzer, commonly termed as a Burp Intruder. This burp intruder gives us several opportunities to fuzz the injection points in the most customizable way we can.
In order to make a fuzzing attack possible, we need to add up a dictionary as a payload list. However, Burp Suite’s Professional Edition gives us an option to opt the predefined lists containing the most common fuzz strings according to the attack types.
You might be wondering about how the fuzzing works here, right??
Let’s clear it in some simple steps.
- First, we need to intercept the HTTP Request, therewith that we’ll thus share it with the Intruder.
- As soon as we do so, we’ll define the parameters or the injection points where the fuzzing needs to be done.
- Now, at last, the attack type and payloads list need to be defined up with that.
And as soon as we launch the fuzzing attack by hitting the “Attack” button, we’ll get the output screen stating up all the possible hits and drop. Therewith it, we can thus analyse them and find a crucial hit.
Fuzz with the Burp’s built-in Payload Lists
Up till now, you might be clear about what fuzzing is, and how the Burp Suite’s Intruder helps us to fuzz a web application. So let’s take a deep dive and intercept some request in order to fuzz an application with the burp’s predefined payload lists.
Fuzzing for Login Credentials :
Usernames and Passwords plays a major role within an application, thereby if we could fuzz them in the best way, we would be able to bypass the authentication phase. So let’s do it.
1. The Password field Fuzzing using Password list & Short words list
Turn ON the burp suite in order to intercept the request and then share the same to the Intruder.
Now, configure the Position where the payload needs to injected by hitting the Add button. And even manipulate the Attack Type which determines how the payload will hit at the injection point (payload position).
Payload position: 12345 (User input as the password)
Attack type: Sniper (for one payload)
Choose the payload option to configure a Simple list of payload for the attack.
Burp suite Intruder contains fuzzing strings for testing a common Password, therefore let’s opt the Password option there.
Hit the “Attack” button and initiate the attack.
As soon as we do so, our burpsuite will start the attack by sending requests to hit the correct password for the respective username.
Now from a given list of applied strings, double click on the length section to sort them in the ascending order. Further, select the one which has the lowest length.
Cool !! From the below image, you can see that with the payload “zombie” we’re are getting a 302 success.
Let’s check the response is made, use bee : zombie over the login field. And there we go, we’ll are inside the application.
There are times, when the password that the user configured is not in the Password Payload list, therefore in such cases, we can use the other Burpsuite’s predefined list i.e. “Short Words”
Let’s capture the HTTP Request for the user Raj, and then, in the same way, we’ll share it to the intruder tab.
Over there, we’ll set the Payload position again i.e. 123 by hitting the Add button.
Now, for this time, rather than the Password option, we’ll opt the Short words payload list.
Time to go. Fire up the Add button and analyse the output response.
As soon as we sort the length option as in the ascending order, we’ll get our password as “movie”
2. The Username field fuzzing using Username list
There are times, that we encounter such situations when there is a common password but we don’t know how many users are having the same, and if they are, then what are their usernames.
Therefore, in order to solve this dilemma, burpsuite offers one more great payload list that contains all the common usernames. let’s try to use that too.
Back into burpsuite and capture the login request, and share it with the intruder. Further, set the injection point to “random”.
Here we are guessing all the possible users with their password as “admin”.
Now, after setting the payload position, its time to enroll for the payload type. Opt the Usernames payload list from the Add from list… option.
Hit the “Attack” button, and there we go. Great !! we got “ADMIN” and “admin” as the usernames for the most common password admin !!
Fuzzing for SQL Injection
SQL Injection is one of the most crucial vulnerability one could find for. However, this vulnerability encountered majorly in the user-input fields. To learn more about SQL Injection, click here.
Burp Suite offers a separate Payload list for SQL Injection fuzzing, but the common fuzzing lists the quick and the full also contributes some payloads for SQL Injection, OS Command Injection, Cross-Site Scripting and many more. Therefore for this time, we’ll be using the Fuzzing – full list in order to bypass the login portal.
Over with the similar way, let’s capture the ongoing HTTP Request of the test.vulnweb login portal, and share it with the Intruder.
Time to set the positions and the attack type. Here, I’ve added both the positions i.e. uname and pass for fuzzing. Along with it, I’ve opted Cluster Bomb this time as we’re having two payload positions.
With all this, let’s select the Fuzzing – full list for payload position 1 in order to find the SQL vulnerability within the application.
For position 2 select the same.
Cool !! From the below screenshot, you can see that we got some successful responses as when we alter the length section in the descending order.
Let’s now check the first captured response in the login fields as username = ‘– and password = ‘
Wonderful !! From the below screenshot, you can see that we’ve successfully bypassed the Login credentials.
Fuzzing to find Hidden Files
There are many web pages that are hidden for the common users but they exist over on a web-application. However, it is quite difficult to determine that, which webpage is giving a 200 Success, 302 Redirection or a 404 Not Found.
Thus, in order to make our work easy, burpsuite drop out with some amazing payload lists which contains almost a number of commonly used webpages that are somewhere hidden inside the webpage.
Back with the bWAPP web-application dashboard, let’s capture an HTTP Request, and therewith it, we’ll again share it with the intruder.
Configuring the payload position to “portal” and the attack type to “Sniper”.
Now, let’s opt the Payload list, and for this time we’ll choose it to “Filename – short”. Further, we’ll hit the “Attack” button to proceed.
From the below image, we can see that there are a number of files that are unknown to us, let’s check this secret one.
As soon as we manipulate portal.php with secret.php, we’ll thus land up to an unexpected page that says “Your secret: Any Bug?”
These were the most common filenames that are largely available at web-applications, but what about the unique ones? The Filenames – long gives us the possibility to hunt them too.
Now, rather than the Filenames – short, let’s opt the Filenames – long in the Payload Options.
As soon as we hit the Attack button, the fuzzing get’s started up and thus within a few minutes we’re presented with the redirecting web pages.
Let’s manipulate portal.php with captcha.php and let’s check what it offers to us.
Fuzz to find Restricted File Upload Extensions
File upload vulnerability is one of the major problems within web-based applications. Here the attacker uploads a file with some malicious codes within it, which thus could be executed on the server directly. You can learn more about file upload vulnerability from here.
There are times when the web-developers blocks up some certain file extensions in order to make their web-applications secure. However, ensuring which extension is blocked by the developer is quite impossible to find out.
But, we can do this task in one of the most simplest way i.e. by fuzzing. Burp’s Intruder is having a payload list in-built for this thing too, let’s use it this time.
Initially, over at the file upload option, select a specific file.
Capture the request in a similar way that we did earlier, and share it to the intruder.
Now, let’s setup Paylaod positions, here we’ll do it with the file extension we’re having.
At last, we’re now at our favorite section, i.e. opting the built-in payload list. Choose the Extensions – short and hit the “Attack” button in order to initiate the fuzzing.
Let’s make the output somewhat simpler to analyze, we’ll use the grep option in order to determine which extensions are blocked and which are not.
Therefore, at the Options tab, scroll down to the Grep – Match field, there remove all the predefined keywords and add “blocked” over there.
This “blocked” keyword has been added intentionally, as this is the error generated at when a wrong file extension is uploaded. So rather than blocked keyword, you have to use the one that displays as a part of an error message when you upload a restricted file.
As soon as we fire up the “Attack” button, we’ll be redirected to the next page where the outputs are displayed. Double click on the “blocked” section in order to sort the Request.
Cool !! From the below image, you can see that we got all the blocked extensions mentioned. Now with this, we can simply upload any file with an extension rather than the marked ones.
Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here