Fuzz testing or fuzzing is a technique commonly used in software testing to find how software responds to invalid, unexpected or random data. The targeted software may fail, give unexpected output or misbehave processing the randomized input data. Input that leads to such situations is then addressed and rectified.
The term fuzz testing originates from a 1988 class project testing the reliability of Unix programs by bombarding them with random data until they crashed. As the years passed on new techniques emerged and crashing software isn’t lo longer the main goal – nowadays it’s used for finding defects.
Fuzz testing isn’t only a technique to find defects with intention to make better software. Even hackers has found their use of this technique. The main approach is the same – hit a target with random data to see how it react.
Today we’ll be looking at a tool called Wfuzz and we’ll do so by applying it to a well-known CTF game!
Wfuzz – Web application Bruteforcer
There are many fuzzers available on the market, both free and commercial. One such free fuzzer is Wfuzz – a CLI tool designed for bruteforcing web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP, etc), bruteforce forms parameters (User/Password), fuzzing, etc. It’s a handy tool to know.
If you are completely new to this tool I advice you to seek out the help section. You can do so by issuing the following command:
$ wfuzz -h
As you’ll notice the help section is a bit massive. Below is an overview of the options I use the most:
|-s||Time delay between connections|
|–hc/hl/hw/hh||Filter/hide responses with the specified code/lines/words/chars|
|–sc/sl/sw/sh||Filter/show responses with the specified code/lines/words/chars|
Discovering hidden resources
Wfuzz is a great tool for finding hidden resources on a web server. Here we’ll try to discover hidden resources (scripts, directories etc) on target_site using a path list (file) as input. The path list I am using is custom-made and contains some keywords related to well-known URL paths. Wfuzz will read the input line by line and insert the read value into wherever we put the “FUZZ” keyword and then fire off a request to said path. In the following command I have added a filter to remove any requests resulting in an HTTP 404.
$ wfuzz -c --hc 404 -z file,url_paths.txt http://target_ip/FUZZ
Aimed at one of my test machines this command yields the following:
As we can see the web server returns HTTP 500 in some cases. Interesting!
So we made a nice discovery using the last command. Moving on we can also manipulate POST requests. In the following example I am reusing the same target IP on a different machine. The following is a command to bruteforce WordPress login for the Mr. Robot 1 Vulnhub CTF game:
$ wfuzz -c -d "log=elliot&pwd=FUZZ" -w fsocity.dic --hs ERROR http://target_ip/wp-log
Consuming large dictionaries as what is offered in the Mr. Robot 1 game requires a lot of requests. This means it’ll be noisy and it’ll takes forever to complete. For this example I’ve just sorted the dictionary and removed duplicates to speed things up a bit.
Moving on to the last example. It is also possible to work with the HTTP headers directly. In this example I’ll try to uncover if the Mr. Robot 1 server responds to other host domain names:
$ wfuzz -c -H "Host:FUZZ,Cookie:id=1234" -w hosts.txt http://target_ip
In this example I am using a small list of domain names I’ve concocted and I expect it to fail. I would’ve also tried to fuzz a cookie but I decided not to since the same theory applies to this scenario – just apply the FUZZ keyword where you need it. The command yields:
Nothing interesting found.
Wfuzz example gallery
I’ve made a gallery of the screenshots listed in case you can’t see the outputs properly. Just click on the screenshots and they should pop up in larger format.
Wfuzz is a handy tool. My peek into this marvelous tool only scratches the surface of what’s possible. From here you could easily extend and build new commands. For instance, what about trying to add more payloads into the equation?
Happy gaming and stay on the right side of the law!
There are plenty of tools on the market. Here’s a few:
And here’s two resources listing even more fuzzers:
- OWASP on FuzzingOWASP on Fuzzing
- Wired on Fuzzing
- Wikipedia on fuzz testing
- Wfuzz – Edge security group
- A great presentation on advanced fuzzing using Wfuzz