Introduction
Web fuzzing is a technique used to identify vulnerabilities in web applications by inputting unexpected or random data. It helps detect flaws that attackers might exploit.
Fuzzing vs. Brute-forcing
| Aspect |
Fuzzing |
Brute-forcing |
| Scope |
Broad, testing a variety of unexpected inputs |
Narrow, focused on finding a specific correct input (e.g., password) |
| Technique |
Sends malformed data, invalid characters, and random combinations |
Tries many possibilities systematically using predefined dictionaries |
| Goal |
Discover unexpected behaviors and vulnerabilities |
Guess the correct value through repeated attempts |
| Analogy |
Throwing random objects at a lock |
Trying every key on a keyring until one works |
Why Fuzz Web Applications?
- Uncovering Hidden Vulnerabilities: Finds flaws missed by traditional testing.
- Automating Security Testing: Saves time by automating input generation and testing.
- Simulating Real-World Attacks: Mimics hacker techniques to identify weaknesses.
- Strengthening Input Validation: Highlights weak validation mechanisms.
- Improving Code Quality: Reveals bugs and prompts developers to write secure code.
- Continuous Security: Can be integrated into CI/CD for ongoing testing.
Essential Concepts
| Concept |
Description |
Example |
| Wordlist |
List of words or values used as input for fuzzing |
admin, login, password, backup, config |
| Payload |
Data sent during fuzzing |
' OR 1=1 -- (SQL injection example) |
| Response Analysis |
Reviewing web app responses to identify anomalies |
200 OK (normal), 500 error with DB message (possible SQLi) |
| Fuzzer |
Tool to automate payload generation and response analysis |
ffuf, wfuzz, Burp Suite Intruder |
| False Positive |
Incorrectly identified vulnerability |
404 error for a non-existent directory |
| False Negative |
Real vulnerability not detected |
Logic flaw in payment processing |
| Fuzzing Scope |
Targeted area in the application being fuzzed |
Login page, specific API endpoint |