i Fuzzing web application using burp suite intruder – All things in moderation

Fuzzing web application using burp suite intruder

Introduction

1. Fuzzing

Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in a web page.

2. Burp suite intruder

Burp Intruder is an HTML fuzzer, it is a powerful tool for performing automated customized attacks against web applications. It is extremely flexible and configurable, and can be used to automate all kinds of tasks that arise when testing applications. It’s helpful when fuzzing for vulnerabilities in web applications.

How to use Burp Suite Intruder?

1. Request Interception

The first, ensure that Burp is installed and running, and that you have configured your browser to work with Burp.

Then Request web page you want to fuzzing.

This example using http://testphp.vulnweb.com/login.php

Burp suite proxy intercept your request. Then you can send this request to intruder tab by use ‘Ctrl I’, chose action button and click ‘Send to Intruder’

2.Setting payload Position

By default, Burp Intruder will attempt to discover all parameters suitable for fuzzing within the request and mark them with the ‘§’ symbol. But if you don’t want test all of parameter, you can clear all position (using ‘clear §’ button) and set position you want (using ‘add §’ button).

3. Attack Type

Burp Intruder supports various attack types – these determine the way in which payloads are assigned to payload positions. The attack type can be selected using the drop-down above the request template editor. The following attack types are available:

• Sniper : sends a single payload to each of the selected parameters; i.e. each parameter is sequentially tested with the same set of variables.

• Battering ram : sends a single payload to all of the selected parameters at once; i.e. all parameters will be passed the first variable, followed by all parameters being passed the second variable, and so on until the payload is completed.

• Pitchfork : sends a specific payload to each of the selected parameters; i.e. all parameters need to be passed its own payload, and the variables of each payload are passed to its designated parameter in sequence.

•Cluster bomb : starts with a specific payload to each parameter, and when all variables have been tested, will start testing with the payload from the next variable, such that all parameters get tested with all variables.

4. Set of payloads

Burp suite provide many fuzzing payloads. You can select from add from list and chose your payloads. And load from your payloads, you can download fuzz lists from https://github.com/1N3/IntruderPayloads

5. Running attack and Output analysis

Click button start attack to start fuzzing web application, then analysis server responses (Compare response status code, content length, HTML pages …).

In this example, if login is succes server send status 200 in response, 302 if login is faild.

You can Send request from intruder result to browser to check the response for this payload: click right on the request and choose “Show response in browser”.

Your request in browser:

References

Burp Intruder Documentation

A Fuzzing Approach to Credentials Discovery using Burp Intruder

Leave a Reply