Parameter and Value Fuzzing
What are parameters?
Parameters are the messengers of the web, carrying vital information between your browser and the server that hosts the web application. They're like variables in programming, holding specific values that influence how the application behaves.
GET Parameters: Openly Sharing Information
You'll often spot GET parameters right in the URL, following a question mark (?). Multiple parameters are strung together using ampersands (&). For example:
https://example.com/search?query=fuzzing&category=security
In this URL:
queryis a parameter with the value "fuzzing"categoryis another parameter with the value "security"
GET parameters are like postcards – their information is visible to anyone who glances at the URL. They're primarily used for actions that don't change the server's state, like searching or filtering.
POST Parameters: Behind-the-Scences Communication
While GET parameters are like open postcards, POST parameters are more like sealed envelopes, carrying their information discreetly within the body of the HTTP request. They are not visible directly in the URL, making them the preferred method for transmitting sensitive data like login credentials, personal information, or financial details.
When you submit a form or interact with a web page that uses POST requests, the following happens:
- Data Collection: The information entered into the form fields is gathered and prepared for transmission.
- Encoding: This data is encoded into a specific format, typically
application/x-www-form-urlencodedormultipart/form-data:application/x-www-form-urlencoded: This format encodes the data as key-value pairs separated by ampersands (&), similar to GET parameters but placed within the request body instead of the URL.multipart/form-data: This format is used when submitting files along with other data. It divides the request body into multiple parts, each containing a specific piece of data or a file.
- HTTP Request: The encoded data is placed within the body of an HTTP POST request and sent to the web server.
- Server-Side Processing: The server receives the POST request, decodes the data, and processes it according to the application's logic.
Here's a simplified example of how a POST request might look when submitting a login form:
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
username=your_username&password=your_password
POST: Indicates the HTTP method (POST)./login: Specifies the URL path where the form data is sent.Content-Type: Specifies how the data in the request body is encoded (application/x-www-form-urlencodedin this case).Request Body: Contains the encoded form data as key-value pairs (usernameandpassword).
Why Parameters Matter for Fuzzing
Parameters are the gateways through which you can interact with a web application. By manipulating their values, you can test how the application responds to different inputs, potentially uncovering vulnerabilities. For instance:
- Altering a product ID in a shopping cart URL could reveal pricing errors or unauthorized access to other users' orders.
- Modifying a hidden parameter in a request might unlock hidden features or administrative functions.
- Injecting malicious code into a search query could expose vulnerabilities like Cross-Site Scripting (XSS) or SQL Injection (SQLi).
wenum (demo)
GET
Let's first ready our tools by installing wenum to our attack host:
m4cc18@htb[/htb]$ pipx install git+https://github.com/WebFuzzForge/wenum
$ pipx runpip wenum install setuptools
Then to begin, we will use curl to manually interact with the endpoint and gain a better understanding of its behavior:
m4cc18@htb[/htb]$ curl http://IP:PORT/get.php
Invalid parameter value
x:
- Note we are trying to connect to
/get.php
The response tells us that the parameter x is missing. Let's try adding a value:
m4cc18@htb[/htb]$ curl http://IP:PORT/get.php?x=1
Invalid parameter value
x: 1
- The server acknowledges the
xparameter this time but indicates that the provided value (1) is invalid. - This suggests that the application is indeed checking the value of this parameter and producing different responses based on its validity.
- We aim to find the specific value to trigger a different and hopefully more revealing response.
Manually guessing parameter values would be tedious and time-consuming. This is where wenum comes in handy. It allows us to automate the process of testing many potential values, significantly increasing our chances of finding the correct one.
Let's use wenum to fuzz the "x" parameter's value, starting with the common.txt wordlist from SecLists:
m4cc18@htb[/htb]$ wenum -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404 -u "http://IP:PORT/get.php?x=FUZZ"
...
Code Lines Words Size Method URL
...
200 1 L 1 W 25 B GET http://IP:PORT/get.php?x=OA_HTML
Total time: 0:00:02
Processed Requests: 4731
Filtered Requests: 4730
Requests/s: 1681
-w: Path to your wordlist.--hc 404: Hides responses with the 404 status code (Not Found), sincewenumby default will log every request it makes.http://IP:PORT/get.php?x=FUZZ: This is the target URL.wenumwill replace the parameter valueFUZZwith words from the wordlist.
Analyzing the results, you'll notice that most requests return the "Invalid parameter value" message and the incorrect value you tried. However, one line stands out:
200 1 L 1 W 25 B GET http://IP:PORT/get.php?x=OA_HTML
- This indicates that when the parameter
xwas set to the value "OA_HTML," the server responded with a200 OKstatus code, suggesting a valid input.
If you try accessing http://IP:PORT/get.php?x=OA_HTML, you'll see the flag.
m4cc18@htb[/htb]$ curl http://IP:PORT/get.php?x=OA_HTML
HTB{...}
POST
Fuzzing POST parameters requires a slightly different approach than fuzzing GET parameters. Instead of appending values directly to the URL, we'll use ffuf to send the payloads within the request body. This enables us to test how the application handles data submitted through forms or other POST mechanisms.
Our target application also features a POST parameter named "y" within the post.php script. Let's probe it with curl to see its default behavior:
m4cc18@htb[/htb]$ curl -d "" http://IP:PORT/post.php
Invalid parameter value
y:
- The
-dflag instructscurlto make a POST request with an empty body. The response tells us that the parameteryis expected but not provided. - As with GET parameters, manually testing POST parameter values would be inefficient. We'll use
ffufto automate this process:
m4cc18@htb[/htb]$ ffuf -u http://IP:PORT/post.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "y=FUZZ" -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200 -v
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : POST
:: URL : http://IP:PORT/post.php
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : y=FUZZ
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200
________________________________________________
[Status: 200, Size: 26, Words: 1, Lines: 2, Duration: 7ms]
| URL | http://IP:PORT/post.php
* FUZZ: SUNWmc
:: Progress: [4730/4730] :: Job [1/1] :: 5555 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
- The main difference here is the use of the
-dflag, which tellsffufthat the payload ("y=FUZZ") should be sent in the request body asPOSTdata.
Again, you'll see mostly invalid parameter responses. The correct value ("SUNWmc") will stand out with its 200 OK status code:
000000326: 200 1 L 1 W 26 Ch "SUNWmc"
Similarly, after identifying "SUNWmc" as the correct value, validate it with curl:
m4cc18@htb[/htb]$ curl -d "y=SUNWmc http://IP:PORT/post.php"
HTB{...}
In a real-world scenario, these flags would not be present, and identifying valid parameter values might require a more nuanced analysis of the responses. However, this exercise provides a simplified demonstration of how to leverage ffuf to automate the process of testing many potential parameter values.
Exercise
TARGET: 94.237.48.173:53907
Challenge 1
What flag do you find when successfully fuzzing the GET parameter?
From the above curl (having found the valid parameter using wenum):
┌──(myenv)─(macc㉿kaliLab)-[~/htb]
└─$ curl http://94.237.48.173:53907/get.php?x=OA_HTML
HTB{g3t_fuzz1ng_succ3ss}
flag: HTB
Challenge 2
What flag do you find when successfully fuzzing the POST parameter?
From the above curl (having found the valid parameter using ffuf):
┌──(myenv)─(macc㉿kaliLab)-[~/htb]
└─$ curl -d "y=SUNWmc" http://94.237.48.173:53907/post.php
HTB{p0st_fuzz1ng_succ3ss}
flag: HTB