- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
How a Web Fuzzer Works
Web fuzzers automatically generate malicious requests by inserting the payloads of common vulnerabilities into web application injection points. They then fire off these requests and keep track of the server’s responses.
Web 模糊器通过将常见漏洞的有效载荷插入到 Web 应用程序的注入点中自动生成恶意请求。然后它们发送这些请求并跟踪服务器的响应。
To better understand this process, let’s take a look at how the open source web application fuzzer Wfuzz ( https://github.com/xmendez/wfuzz/ ) works. When provided with a wordlist and an endpoint, Wfuzz replaces all locations marked FUZZ with strings from the wordlist. For example, the following Wfuzz command will replace the instance of FUZZ inside the URL with every string in the common_paths.txt wordlist:
为了更好地理解这个过程,让我们来看看开源 Web 应用 fuzzer Wfuzz(https://github.com/xmendez/wfuzz/)是如何工作的。当提供一个字典和一个端点时,Wfuzz 会将所有标记为 FUZZ 的位置替换为来自字典的字符串。例如,下面的 Wfuzz 命令将使用 common_paths.txt 字典中的每个字符串来替换 URL 中的 FUZZ 实例:
$ wfuzz -w common_paths.txt http://example.com/FUZZYou should provide a different wordlist for each type of vulnerability you scan for. For instance, you can make the fuzzer behave like a directory enumerator by supplying it with a wordlist of common filepaths. As a result, Wfuzz will generate requests that enumerate the paths on example.com :
你应该为每种漏洞扫描提供不同的字典。例如,你可以通过提供一个包含常见文件路径的字典,让模糊测试器变成目录枚举器。结果,Wfuzz 将生成一个对 example.com 上路径进行枚举的请求:
http://example.com/admin
http://example.com/admin.php
http://example.com/cgi-bin
http://example.com/secure
http://example.com/authorize.php
http://example.com/cron.php
http://example.com/administratorYou can also make the fuzzer act like an IDOR scanner by providing it with potential ID values:
你还可以让模糊器像一个 IDOR 扫描器一样,通过提供潜在的 ID 值来进行扫描:
$ wfuzz -w ids.txt http://example.com/view_inbox?user_id=FUZZSay that ids.txt is a list of numeric IDs. If example.com/view_inbox is the endpoint used to access different users’ email inboxes, this command will cause Wfuzz to generate a series of requests that try to access other users’ inboxes, such as the following:
假设 ids.txt 是一个数字 ID 列表。如果 example.com/view_inbox 是用于访问不同用户电子邮箱收件箱的端点,那么此命令将导致 Wfuzz 生成一系列尝试访问其他用户收件箱的请求,如下所示:
http://example.com/view_inbox?user_id=1
http://example.com/view_inbox?user_id=2
http://example.com/view_inbox?user_id=3Once you receive the server’s responses, you can analyze them to see if there really is a file in that particular path, or if you can access the email inbox of another user. As you can see, unlike vulnerability scanners, fuzzers are quite flexible in the vulnerabilities they test for. You can customize them to their fullest extent by specifying different payloads and injection points.
一旦你收到了服务器的响应,你可以分析它们,看看那个路径上是否真的有一个文件,或者你是否可以访问另一个用户的电子邮箱。正如你所看到的,与漏洞扫描器不同的是,模糊测试工具在它们测试的漏洞方面非常灵活。你可以通过指定不同的负载和注入点来最大程度地定制它们。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论