Over in the previous article, we learned about what fuzzing is and how the burpsuite helps us to fuzz a web-application, along with all these things we had even explored some great fuzzing payload lists that are offered by the burpsuite’s Intruder tab.
So, today, in this article we’ll investigate some other amazing pre-defined burpsuite’s payload lists that could thereby hit a crucial vulnerability.
Table Of
Content
·
Fuzz
with Burp’s built-in Payload lists
o Fuzzing
for Cross-Site Scripting
o Fuzzing
for OS Command Injection
o Fuzzing
for Hidden Directories
o Fuzzing
for HTTP Verb Tampering
o Fuzzing for SQL Injection
·
Fuzzing with Customized Lists.
o Manipulate
Burp Suite’s pre-defined payloads
o Injecting our customized payload lists.
Fuzz with
Burp’s built-in Payload lists
As we’re aware that burp suite comes with some pre-defined payload lists that can thereby help us in order to fuzz an application. However, we have already used a number of them in our previous article, so let’s make our hands wet again, by exploiting some more vulnerabilities with the remaining payload lists.
Fuzzing for Cross-Site
Scripting
Cross-Site Scripting often abbreviated as “XSS” is a client-side code injection attack where malicious scripts are injected into trusted websites where the input-parameters are not properly sanitized or validated. You can learn more about Cross-Site Scripting from here.
However, such attacks are quite difficult when we try to exploit them with the bare hands, as they were secured up with some validations. Therefore, in order to exploit such validated applications, we need some fuzzing tools and thus for the fuzzing thing, we can count on BurpSuite’s Intruder tab.
Turn ON your Proxy
service and capture the ongoing HTTP
request with Burp Suite’s Intercept option, therewith it, share it all
to the Intruder.
Let’s now configure the input parameters, hit the “Add”
button to set the payload position with “ignite” and set the Attack
type to “Sniper”.
Time to customize the most
important thing i.e. the payload list, click on Add from list.. button
and scroll until you get the “Fuzzing – XSS” option. Further,
hit the “Attack” button to initiate the fuzzer.
And there we go, within a few
minutes we’ll get the output list with all the success hits and drops. Double
click on the length section to sort them out in the descending
order.
Cool !! Now, share any of them
to the browser in order to check the response it made. And there it is, the browser hits our payload
and showed up the response embedded within it as “XSS”
Fuzzing for OS
Command Injection
OS Command Injection or Shell Injection is that vulnerability where the attacker tries to perform system-level commands directly through a vulnerable application, there in order to retrieve information of the webserver or try to make unauthorized access into the server. You can surf the complete vulnerability from here.
However, there is no such pre-defined list for this OS Command Injection but still, we can exploit it with the all-in-one fuzzing list i.e. with “Fuzzing – quick”
As we did earlier, capture the request again and share it
with the Intruder.
Further, lets set the injection point to “www.nsa.gov”
by hitting the Add button and set the attack type to Sniper.
Let’s now opt the smallest and deadliest list to fuzz
this injection point. And therewith that hit the “Attack” button to
initiate the attack.
Within a few seconds, we’ll get our output. Alter the
length section as in Descending order in order to analyse the responses.
There we go, the “;id” payload is working
perfectly here.
Let’s check the same in the browser too. Cool !! From the
below screenshot you can see that our payload has been triggered out by the
web-server.
Fuzzing for Hidden
Directories
Similar to the web pages, there are some directories
too that are hidden from the normal users, but yes they exist over the
application.
However, it's about to impossible to find these directories
with the naked eyes. Therefore, to make our work easy and to make this task
possible, burpsuite offers an amazing payload list that will drop out all the hidden
directories within a few seconds.
Over at the application, place a random keyword so
that it would be easy to set out an injection point. As in our case,
we’ve injected “abc” after the web application's URL. Further, capture
the Request and share the same to the intruder.
Now, here comes the role of our keyword, select it
and hit the Add button.
Time to move further at our favorite step, select the Dictionary – short payload list from the Add from list… option.
As soon as we hit the Attack button, our fuzzing
will get starts up and within a few minutes, we’ll be presented with a list of hidden
files.
Seems like the Admin_files is having some juicy
content, let’s check it out in the browser.
Fuzzing for HTTP
Verb Tampering
HTTP Verbs are majorly used by web-developers while
developing an application, during this phase they use the most common verb
methods i.e. GET & POST. But rather than these two, there are a
number of HTTP methods exists up, that if injected at a wrong place could
thus lead to some drastic results.
However, in such attacks, the attacker manipulates
up the HTTP method that was set up by the developer with an unwanted
method, and if the output with the other HTTP method drops out with “200”
Success, then the application might face some defacements.
Thereby in order to make this attack much simpler,
burpsuite drops out an in-built payload list with all the HTTP
Methods integrated within it. So let’s check it out about what it offers.
In a similar way, we did earlier, capture the ongoing
HTTP Request and thus share it with the Intruder.
Now, this time we won't set the payload position at the
input values, but rather we’ll set them up to the HTTP Request i.e. the “POST”
method.
In the most simpler way, choose the payload list as “HTTP
verbs”, and hit the Attack button.
Time to analyse, here we’ll see the “Status” section.
Cool !! We are testing the most vulnerable website, as the 200 success
is with almost every HTTP method we set out.
Now, let’s check the response from the HEAD method, as
we’re aware that a request with this method only shows up the Header part and
hides up all the HTML code within it.
Fuzzing for SQL
Injection
Over in our previous article, we had exploited an SQL
suffering acuart’s login portal, there we used the Fuzzing – full list
to accomplish the task, but Burp Suite is having a separate payload list
specially designed to encounter an SQL vulnerability. So let’s try to use it
here in this section.
Back with the similar way, intercept the request
and share it with the Intruder.
Now, with this, let’s configure the injection points.
Select “1” and “1” and then hit the Add button to set them as payload
1 and payload 2 respectively. But with all these things, don’t
forget to change the Attack type to “Cluster Bomb” as there are 2
payloads.
I hope you know what we need to do next. Select the Fuzzing
– SQL Injection for payload 1 from the options provided.
And then opt the same for Payload 2.
Before hitting the “Attack” button, let’s make this fuzz more appealing by
setting up the Grep Match value.
Note –
Here, we’ve used the phrase “Invalid
credentials!” intentionally, as this is the error generated at when some
wrong credentials are entered. So rather than “Invalid credentials!”,
you have to set the one that displays as a part of an error message when you fails
to get logs in.
Now, hit the “Attack” button
in order to initiate the attack. And with that, we’ll get a list of all the
payloads that can give a successful login.
Opt one and check its response
in the browser.
Great !! And there we go, ”I
wish I could have seriously taken that BLACK Pill !!”
Fuzzing
with Customized Lists.
Manipulating
Burp Suite’s pre-defined payloads
You might be wondering
about, what, if I want to fuzz with my own payloads but along with that I also
want the pre-defined lists.
However, the Burp suite
developers might also have experienced the same thing too, thereby they
designed a button called ADD with an input field where we can
type and inject our payload along with the predefined lists.
So, let’s make it more clear by
capturing an HTTP Request and sharing it with the Intruder.
Now, we know all the best things that we need to do next…
Hit “Add $” at the selected text in order to set the injection point.
Let’s first select the predefined lists, here we’re using the most favourable list i.e. “Fuzzing – XSS”.
With this, let’s spice up the thing by injecting our
customized payload as
<script>alert(“Ignite Technologies”)</script>
Time to find out our payload from the heap, and there it
is, let’s give a right click and check it response in the browser.
Cool, it’s working !! We got “Ignite Technologies” being popped-out from the screen.
We might have seen a number of payload lists all
around over at the internet, so do we need to type the individual payload and
hit the Add button in order to get that.
No !! As along with the pre-defined lists and the
input field for the payloads, burp suite also provides an opportunity to take
advantage of these things too.
Over at the left side above the Add button, we’re
having one more button labelled as “Load”. This burp suite functionality
helps us in the most amazing way it can, i.e. it allows us to load any
payload list for our fuzzing attack.
Click on the Load button and select the payload
list that you want to fuzz with.
As soon as we do so, the empty box will get filled up
with all the strings that are within the list.
Time to start. Hit the Attack button and analyse the output it offers.
Let’s check the response for the selected one.
Great !! From the below screenshot, we can see that the payload is working in
the best way that it is designed to be.
0 comments:
Post a Comment