Welcome back, my aspiring cyberwarriors!
In previous tutorials here on Hackers-Arise, we have used the BurpSuite for a number of purposes to test, evaluate and hack web applications. BurpSuite is among that set of tools that every hacker/pentester/bug bounty hunter should be familiar with!
In this tutorial, we will be using the BurpSuite to fuzz the web application for vulnerabilities. Fuzzing is the process of sending random or pseudo-random data into an application with the intent of crashing the application and thereby identifying vulnerabilities. If we can crash an application with some random input, we can then trace the cause of the crash and possibly use it to exploit the application. So for instance, if we send data input that is too long for the application to handle and it crashes, this may indicate that a buffer overflow is possible.
In this tutorial, we will use the BurpSuite to send specially crafted inputs into a web application in an attempt to discover SQL injection and XXE vulnerabilities. This is an excellent technique for finding bug bounty vulnerabilities!
Step #1: Fire Up Kali and OWASP-BWA
The first step, of course, is fire up your Kali and OWASP-BWA.
Now, open your browser and click on the Mutillidae II application. This should open the application like that below.
Step #2: Open BurpSuite
Next, start your BurpSuite in Kali.
In your browser open, OWASP2013->Injection (SQL)->SQLi-Bypass Authentication ->Login.
This will open a screen similar to that below.
Now, with the Intercept ON (and your browser proxy enabled) in the proxy in the BurpSuite, enter any random username and password. I used "test' and "complexpassword". The proxy will catch or intercept the request as seen below.
Right click and select Send to Intruder
Now, click on the Intruder tab at the top of the page. This opens the Intruder showing 4 tabs, Target, Positions, Payloads and Options. Select Positions. The Intruder will highlight several potential payload positions. Click on the Clear button to the right-hand side. Now highlight the username field and click Add.
Next click on the Payloads. Here will will need to add a payload or list of fuzzing strings. When fuzzing, we have several choices for input strings. We could send millions of random or pseudo-random inputs which might take hours or days or we can send specially crafted inputs looking for specific type of vulnerability. Here we are specifically searching for SQLi vulnerabilities, so let's use a smaller and specific list of SQLi inputs.
We can go the terminal in Kali and search for fuzzing string wordlists by entering;
kali > locate wordlists | grep fuzz
This will locate all the wordlists and filter for the word "fuzz". There are many but let's use one specifically for SQL such as usr/share/wfuzz/wordlists/Injections/SQL.txt. This list contains many strings that can potentially trigger a SQL injection. Of course, you can use any of these wordlists to find vulnerabilities but this one specifically looks for SQL injection flaws.
On the payload screen, click Load and enter the path to the SQL.txt file.
Finally, click Start Attack and BurpSuite will begin try each of the strings in the username or any selected field.
To find any potential vulnerabilities to SQL Injection within this form in this application, look for anomalies in the Status and Size of the Responses. Nearly all of these responses have a length of 50773 but several are larger. The larger responses are a potential indication of a successful SQL injection.
Step #3: Fuzzing for XXE Vulnerabilities
We can do the same type of fuzzing to test for XXE vulnerabilities, but with a list of inputs specific for XML. For more on XXE vulnerabilities in web applications, click here.
To test for XXE vulnerabilities, navigate to the XML validator in Mutillidae.
With the Window open like below and the Intercept ON in the BurpSuite proxy, enter any input into the XML window and click Validate XML.
The proxy with "catch" the request similar to below.
Now, right click in the proxy and select "Send to Intruder". Open the Intruder and clear the Positions similar to what you did above. Now, highlight your input (in my case, I simply typed "222222") and click Add.
Next, click on the Payloads tab and Load the XXE fuzzing file from wfuzz wordlist directory (other XXE fuzzing strings are available at /Seclists/Fuzzing/XXE-Fuzzing.txt) .
Note that the list contains strings that are XML related.
Finally, click the "Start Attack" button.
Your Burpsuite will attempt to send these XML strings to the validator. Like the SQL injection fuzzing above, look for variations in error status and length to find anomalies that will indicate a potential vulnerability.
Summary
Fuzzing can be powerful technique for finding hidden vulnerabilities in web applications. The BurpSuite enables us to fuzz nearly any form in a web application and send specially crafted or pseudo-random inputs to the form. By then examining the results for anomalies in size and status we can locate potential vulnerabilities. The BurpSuite can be used to fuzz each and every input in a form to find vulnerabilities.