Notes

Parameter & Value Fuzzing

2 min read

Parameter and value fuzzing is a technique to test the robustness of web applications by manipulating web request parameters and analyzing the responses. This can reveal vulnerabilities in how applications process input.

GET Parameters Visible in the URL, typically used for non-state-changing actions like searches. Follows the question mark (?) in the URL, with multiple parameters separated by ampersands (&).

  • query: Parameter with value fuzzing
  • category: Parameter with value security
https://example.com/search?query=fuzzing&category=security

POST Parameters Sent within the HTTP request body, making them less visible than GET parameters. Preferred for transmitting sensitive data (e.g., login credentials).

  • Encoding Formats:
    • application/x-www-form-urlencoded: Encodes data as key-value pairs.
    • multipart/form-data: Used for file uploads.
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
 
username=your_username&password=your_password

Importance for Fuzzing

  • Parameters act as inputs to web applications.
  • Manipulating parameter values tests how the application responds to various inputs, uncovering issues like:
    • Unauthorized access
    • Hidden features
    • Vulnerabilities (e.g., XSS, SQL Injection)

Tools for Fuzzing

  1. curl: Used for manual testing of parameters to understand endpoint behavior.
curl http://IP:PORT/get.php
curl http://IP:PORT/get.php?x=1
  1. wenum: Automates parameter fuzzing for GET requests.
wenum -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404 -u "http://IP:PORT/get.php?x=FUZZ"
  • Options:
    • -w: Specifies the wordlist.
    • --hc 404: Filters out 404 status code responses.
    • FUZZ: Placeholder for the fuzzed parameter value.
  1. ffuf: Fuzzes POST parameters by injecting values into the request body.
ffuf -u http://IP:PORT/post.php -X POST -H "Content-Type: application/x-www-form-urlencoded" \
     -d "y=FUZZ" -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200 -v
  • Options:
    • -X POST: Specifies POST method.
    • -H: Sets the content type.
    • -d: Defines the POST data with FUZZ as the placeholder.
    • -mc 200: Filters responses with a 200 status code.

Process Workflow

  1. Manual Testing with curl:
    • Identify endpoint behavior by sending requests with and without parameters.
  2. Automated Testing:
    • Use wenum for GET parameters.
    • Use ffuf for POST parameters.
  3. Analyze Responses:
    • Look for status codes (e.g., 200 OK).
    • Inspect response size and content for unique patterns.
  4. Validate Findings:
    • Test discovered parameter values manually using curl.

Graph View