Fuzzing series - Parameter(GET/POST)/Value Fuzzing with Ffuf - 04

---

Introduction to Parameter Fuzzing

Parameter fuzzing is a technique used in web security to uncover hidden or undocumented parameters within web applications. These parameters, which can be part of either GET or POST requests, often reveal insights into the application's backend logic and potential vulnerabilities.

---

Understanding GET and POST Requests

• GET Requests: Data is sent in the URL, appended after a '?' symbol. For example, http://example.com/page?param=value.

• POST Requests: Data is sent in the body of the request, not visible in the URL. This method is used for sending large amounts of data.

---

Step-by-Step Guide to Fuzzing GET Requests

1. Tool Setup: Ensure you have ffuf, a fast web fuzzer, installed on your system.

2. Selecting a Wordlist: Choose an appropriate wordlist for fuzzing. For parameter names, /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt is recommended.

3. Fuzzing Command:

   
    ffuf -w /path/to/wordlist:FUZZ -u <http://target.com/page?FUZZ=value> -fs filter_size
   

   Replace /path/to/wordlist with your selected wordlist path, http://target.com/page with your target URL, and filter_size with the size of responses to filter out (commonly returned sizes for non-existent parameters).

   Below is the command and what I found in the HTB Academy Lab machine with the parameter fuzzing technique.

    ──╼ [★]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u <http://admin.academy.htb:34796/admin/admin.php?FUZZ=key>
   

   

4. Analyzing Results: Look for anomalies in the sizes and statuses of the responses, which indicate a potentially valid parameter.

---

Fuzzing With POST Requests

POST parameter fuzzing involves sending numerous HTTP POST requests with varied input values to a target application to discover how it processes different inputs. This method is instrumental in identifying:

• Unseen parameters that could affect the application's behavior.

• Potential security flaws like SQL injection points, cross-site scripting (XSS) vulnerabilities, or other input validation issues.

Prerequisites

• Access to ffuf, a fast web fuzzer tool.

• A wordlist containing potential parameter names.

• The target URL of a web application accepting POST requests.

Setup and Execution

1. Prepare the Wordlist: Ensure you have a wordlist with common parameter names. For this exercise, we use /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt.

2. Configure ffuf for POST Fuzzing:

   • To fuzz POST parameters, ffuf must be instructed to send POST requests and include potential parameter names (and values) in the request body.

3. Command Breakdown:

    bashCopy code
    ffuf -w /path/to/wordlist:FUZZ -u TARGET_URL -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs [size_to_filter]
   

   • w: Specifies the wordlist path.

   • u: Target URL.

   • X POST: Sets the request method to POST.

   • d 'FUZZ=key': Data string to be sent in the request body, where FUZZ will be replaced by each entry in the wordlist.

   • H 'Content-Type: application/x-www-form-urlencoded': Sets the request header to inform the server of the data format, more about the content type, go to this link.

   • fs: Filters out responses of a specific size to reduce false positives.

Practical Example

Let's assume we're targeting http://admin.academy.htb:PORT/admin/admin.php and suspect there's an undocumented parameter that can reveal sensitive information.

• Execute the Fuzzing Command:

  
    ╼ [★]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u <http://admin.academy.htb:34796/admin/admin.php> -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs 100
  

• Analyze the Output: Positive hits might indicate a valid parameter name. In our example, suppose id returned a different response size or status code, suggesting it's a recognized parameter.

Verifying the Parameter

After identifying a potential parameter (id in this case), the next step is to verify its function and explore its impact on the application's behavior.

• Send a Test Request:

  
    curl -X POST <http://admin.academy.htb>:PORT/admin/admin.php -d 'id=test_value' -H 'Content-Type: application/x-www-form-urlencoded'
  

• Interpret the Response: An error message or a change in application behavior can confirm the parameter's significance and guide further testing.

---

Value Fuzzing

Value fuzzing is a technique used in web penetration testing to identify valid parameter values that a web application accepts. This process is crucial after identifying a potential parameter through fuzzing, as it helps uncover the specific values that could lead to sensitive information disclosure or other vulnerabilities. This guide will walk you through the process of value fuzzing, focusing on POST request parameters, using a practical example.

---

Understanding Value Fuzzing

Value fuzzing involves systematically sending a range of values for a specific parameter to see how the application responds. It is used to find valid values that could trigger unexpected behaviors or reveal hidden functionalities within the application.

---

Step-by-Step Guide to Value Fuzzing

Step 1: Prepare Your Environment

Before you start, ensure you have the following:

• Access to a fuzzing tool like ffuf.

• A target application you are authorized to test.

• Knowledge of a parameter you wish to fuzz for valid values.

Step 2: Developing a Custom Wordlist

1. Identify the Parameter Type: Understand the parameter you are fuzzing. For numeric IDs, a list of numbers might suffice, whereas other parameters might require a more complex or creative approach.

2. Create the Wordlist:

   • For numeric parameters (e.g., IDs), use a sequence of numbers. Example command to generate a list of numbers from 1 to 1000:

       bashCopy code
       for i in $(seq 1 1000); do echo $i >> ids.txt; done
     

   • Ensure the wordlist is saved in an accessible location, e.g., ids.txt.

Step 3: Execute the Fuzzing Command

1. Set Up ffuf for Value Fuzzing:

   • Use the w option to specify your wordlist.

   • The u option followed by your target URL, including the parameter name you're testing.

   • The X POST option to specify the POST method.

   • The d option with 'id=FUZZ' to indicate where to insert values from your wordlist.

   • The H option to set the Content-Type to application/x-www-form-urlencoded.

   • Optionally, use the fs option to filter out responses of a certain size that are not of interest.

2. Command Example:

    bashCopy code
    ffuf -w ids.txt:FUZZ -u <http://admin.academy.htb>:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs [size_to_filter]
   

   Replace [size_to_filter] with an appropriate value based on your observations.

Step 4: Analyze the Results

• Carefully review the responses from ffuf. A different response size or status code might indicate a valid value.

• Note any potential hits for further investigation.

Step 5: Verify and Explore

• After identifying a potential valid value, manually verify it using tools like curl or your web browser to understand its impact.

  
    curl -X POST <http://admin.academy.htb>:PORT/admin/admin.php -d 'id=[valid_value]' -H 'Content-Type: application/x-www-form-urlencoded'
  

---

Common Pitfalls and Troubleshooting

• Rate Limiting: Some applications implement rate limiting, which could block your IP if too many requests are made too quickly. Adjust your request rate accordingly.

• Incorrect Content-Type: Ensure the Content-Type header matches the expected format of the application.

• Parameter Handling: Some applications may process parameters differently. If fuzzing doesn’t yield expected results, consider alternative values or formats.