Fuzzing SQL,XSS and Command Injection using Burp Suite

Hello friends!! Today we are going to perform fuzzing testing on bwapp application using burp suite intruder, performing this testing manually is a time consuming and may be boring process for any pentester.

The fuzzing play a vital role in software testing, it is a tool which is use for finding bugs, errors, faults and loophole by injecting a set of partially –arbitrary inputs called fuzz into a program of the application to be tested. Fuzzer tools take structure input in file format to differentiate between valid and invalid inputs. Fuzzer tool are best in identifying vulnerability like sql injection, buffer overflow, xss injection and OS command injection and etc.

Let’s start!!

Fuzzing XSS


Start burp suite in order to intercept the request and then send intercepted data into Intruder.


Many input-based vulnerabilities, such SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters, and analyzing the application's responses for error messages and other anomalies.

Considered following as given below:

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: test (user input for first name)
Attack type: Sniper (for one payload)


Set payload which will be placed into payload positions during the attack. Choose payload option to configure your simple list of payload for attack. Configure the payload list using one of Burp's predefined payload lists containing common fuzz strings.

Burp suite intruder contain fuzzing string for testing xss injection, therefore choose fuzzing –xss and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

It will start attack by sending request which contains random string to test xss vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 1 having length equal to 13926.


Insert selected payload into intercepted request and then forward this request as you can see in given image.


Bravo!!  Fuzzing test is completed and it found that application have bug which lead to xss vulnerability. From screenshot you can see it is showing an xss alert prompt.


Fuzzing OS command injection
Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.


Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: www.nsa.gov (user input for target)
Attack type: Sniper (for one payload


Burp suite intruder contain fuzzing string which will test for os command injection, therefore choose fuzzing full and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.


It will start attack by sending request which contains arbitrary string to test OS command injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 34 having length equal to 13343.
Insert selected payload into intercepted request and then forward this request as you can see in given image.


Great Job!!  Fuzzing test is completed and it found that application have bug which lead to OS command vulnerability. From screenshot you can see application is showing ID as per the request of the selected payload.


Fuzzing SQL
Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.


Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions. It is much similar like brute force attack.
Payload position: 1:1 (user input for login: password)
Attack type: Cluster bomb (for two payloads)


Burp suite intruder contain fuzzing string which will test for SQL injection, therefore choose fuzzing –SQL Injection for first payload postion and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.


Similarly repeat the same process to set payload option for second payload position.


It will start attack by sending request which contains arbitrary string to test SQL injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 168 having length equal to 13648.


Insert selected payload into intercepted request and then forward this request as you can see in given image.


Wonderful!!  Fuzzing test is completed and it found that application have bug which lead to SQL injection vulnerability. From screenshot you can see we had login into Neo’s account without valid input this happens only as per the request of the selected payload.

0 comments:

Post a Comment