Fuzzing SQL,XSS and Command Injection using Burp Suite

From Portswigger

Hello friends!! Today we are going to perform fuzzing testing on the bwapp application using burp suite intruder, performing this testing manually is time-consuming and may be a boring process for any pentester.

The fuzzing plays a vital role in software testing, it is a tool which is used for finding bugs, errors, faults, and loophole by injecting a set of partially –arbitrary inputs called fuzz into a program of the application to be tested. Fuzzer tools take structure input in file format to differentiate between valid and invalid inputs. Fuzzer tool is best in identifying vulnerability like SQL injection, buffer overflow, XSS injection, and OS command injection and etc.

Let’s start!!

Fuzzing XSS

 Start burp suite in order to intercept the request and then send intercepted data into Intruder

Many input-based vulnerabilities, such as SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters and analyzing the application’s responses for error messages and other anomalies.

Considered following as given below:

Configure the position where payload will be inserted, the attack type determines the way in which payloads are assigned to payload positions.

Payload position: test (user input for the first name)

Attack type: Sniper (for one payload)

A set payload which will be placed into payload positions during the attack. Choose payload option to configure your simple list of payload for the attack. Configure the payload list using one of Burp’s predefined payload lists containing common fuzz strings.

Burp suite intruder contains fuzzing string for testing XSS injection, therefore choose fuzzing –xss and click on ADD tab to load this string into the simple list as shown in the screenshot and at final click on start attack.

It will start the attack by sending a request which contains the random string to test XSS vulnerability in the target application. Now from a given list of applied string select the payload which has the highest length as output as shown in the given image, we have a select request 1 having a length equal to 13926.

Insert selected payload into the intercepted request and then forward this request as you can see in the given image.

Bravo!!  Fuzzing test is completed and it found that the application has a bug which leads to XSS vulnerability. From the screenshot, you can see it is showing an XSS alert prompt.

Fuzzing OS command injection

Similarly, repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determines the way in which payloads are assigned to payload positions.

Payload position: www.nsa.gov (user input for target)

Attack type: Sniper (for one payload

Burp suite intruder contains a fuzzing string which will test for os command injection, therefore choose to fuzz full and click on ADD tab to load this string into the simple list as shown in the screenshot and at final click on start attack.

It will start the attack by sending a request which contains the arbitrary string to test OS command injection vulnerability in the target application. Now from a given list of applied string select the payload which has the highest length as output as shown in the given image, we have the select request 34 having a length equal to 13343.

Insert selected payload into the intercepted request and then forward this request as you can see in the given image.

Great Job!!  Fuzzing test is completed and it found that the application has a bug which leads to OS command vulnerability. From the screenshot, you can see the application is showing ID as per the request of the selected payload.

Fuzzing SQL

Similarly, repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determines the way in which payloads are assigned to payload positions. It is much similar like brute force attack.

Payload position: 1:1 (user input for login: password)

Attack type: Cluster bomb (for two payloads)

Burp suite intruder contains a fuzzing string which will test for SQL injection, therefore choose to fuzz –SQL Injection for first payload position and click on ADD tab to load this string into the simple list as shown in the screenshot and at final click on start attack.

Similarly, repeat the same process to set payload option for second payload position.

It will start the attack by sending a request which contains the arbitrary string to test SQL injection vulnerability in the target application. Now from a given list of applied string select the payload which has the highest length as output as shown in the given image, we have the select request 168 having a length equal to 13648.

Insert selected payload into the intercepted request and then forward this request as you can see in the given image.

Wonderful!!  Fuzzing test is completed and it found that the application has a bug which leads to SQL injection vulnerability. From the screenshot, you can see we had login into Neo’s account without valid input this happens only as per the request of the selected payload.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *