Fuzzing is excellent at casting a wide net and generating potential leads, but not every finding is a genuine vulnerability. The purpose of validation:
-
Confirm Vulnerabilities: Distinguishes genuine threats from false positives.
-
Assess Impact: Evaluates severity and potential consequences.
-
Reproduction: Consistently replicates issues for further investigation.
-
Gather Evidence: Prepares proof for stakeholders or developers.
Steps for Validation
1. Manual Verification
- Reproduce the Request: Use tools like
curlor a web browser. - Analyze the Response Look for errors, anomalies, or deviations.
- Controlled Exploitation: Validate vulnerabilities with PoC while avoiding harm.
2. Using curl for Validation
curl http://IP:PORT/backup/
curl -I http://IP:PORT/backup/password.txt- Key headers to analyze:
- Content-Type: File type (e.g.,
text/plain,application/sql). - Content-Length: Indicates file size (e.g., non-zero size implies content).
- Content-Type: File type (e.g.,