Question

Now let’s go through the steps that you can take to integrate fuzzing into your hacking process! When you approach a target, how do you start fuzzing it? The process of fuzzing an application can be broken into four steps. You can start by determining the endpoints you can fuzz within an application. Then, decide on the payload list and start fuzzing. Finally, monitor the results of your fuzzer and look for anomalies.

现在让我们走过这些步骤，将模糊测试集成到您的黑客过程中！当您接近一个目标时，您如何开始进行模糊测试？模糊测试应用程序的过程可以分为四个步骤。您可以首先确定可以在应用程序中进行模糊测试的端点。然后，决定有效数据列表并开始模糊测试。最后，监视您的模糊测试器的结果并寻找异常情况。

Step 1: Determine the Data Injection Points

The first thing to do when fuzzing a web application is to identify the ways a user can provide input to the application. What are the endpoints that take user input? What are the parameters used? What headers does the application use? You can think of these parameters and headers as data injection points or data entry points , since these are the locations at which an attacker can inject data into an application.

模糊测试 Web 应用程序的第一步是识别用户可以提供输入的方式。哪些端点需要用户输入？使用了哪些参数？应用程序使用了哪些标头？您可以将这些参数和标头视为数据注入点或数据输入点，因为这些是攻击者可以向应用程序注入数据的位置。

By now, you should already have an intuition of which vulnerabilities you should look for on various user input opportunities. For example, when you see a numeric ID, you should test for IDOR, and when you see a search bar, you should test for reflected XSS. Classify the data injection points you’ve found on the target according to the vulnerabilities they are prone to:

现在，您应该已经有了哪些漏洞应该在各种用户输入机会上寻找的直觉。例如，当您看到数字 ID 时，您应该测试 IDOR，当您看到搜索栏时，您应该测试反射型 XSS。根据它们容易受到的漏洞，对您在目标上找到的数据注入点进行分类：

Data entry points to test for IDORs

数据输入点用于测试 IDORs。

GET /email_inbox?user_id=FUZZ
Host: example.com

POST /delete_user
Host: example.com

(POST request parameter)
user_id=FUZZ

Data entry points to test for XSS

数据输入点以测试 XSS

GET /search?q=FUZZ
Host: example.com

POST /send_email
Host: example.com

(POST request parameter)
user_id=abc&title=FUZZ&body=FUZZ

Step 2: Decide on the Payload List

After you’ve identified the data injection points and the vulnerabilities that you might be able to exploit with each one, determine what data to feed to each injection point. You should fuzz each injection point with common payloads of the most likely vulnerabilities. Feeding XSS payloads and SQL injection payloads into most data entry points is also worthwhile.

在确定数据注入点和每个注入点可能利用的漏洞后，确定向每个注入点提供什么数据。您应该使用最可能的漏洞的常见有效载荷对每个注入点进行模糊测试。在大多数数据输入点中提供 XSS 有效载荷和 SQL 注入有效载荷也值得尝试。

Using a good payload list is essential to finding vulnerabilities with fuzzers. I recommend downloading SecLists by Daniel Miessler ( https://github.com/danielmiessler/SecLists/ ) and Big List of Naughty Strings by Max Woolf ( https://github.com/minimaxir/big-list-of-naughty-strings/ ) for a pretty comprehensive payload list useful for fuzzing web applications. Among other features, these lists include payloads for the most common web vulnerabilities, such as XXS, SQL injection, and XXE. Another good wordlist database for both enumeration and vulnerability fuzzing is FuzzDB ( https://github.com/fuzzdb-project/fuzzdb/ ).

使用有效的负载列表是使用模糊测试发现漏洞的关键。我建议下载 Daniel Miessler 的 SecLists （https://github.com/danielmiessler/SecLists/）和 Max Woolf 的 Naughty Strings 大列表 （https://github.com/minimaxir/big-list-of-naughty-strings/）进行比较全面的负载列表，这对于模糊测试 Web 应用程序非常有用。除了其他功能外，这些列表还包括最常见的 Web 漏洞的负载，如 XXS，SQL 注入和 XXE。另一个用于枚举和漏洞模糊测试的好字典数据库是 FuzzDB（https://github.com/fuzzdb-project/fuzzdb/）。

Besides using known payloads, you might try generating payloads randomly. In particular, create extremely long payloads, payloads that contain odd characters of various encodings, and payloads that contain certain special characters, like the newline character, the line-feed character, and more. By feeding the application garbage data like this, you might be able to detect unexpected behavior and discover new classes of vulnerabilities!

除了使用已知的载荷，你可以尝试随机生成载荷。特别是，创建极长的载荷，载荷包含各种编码的奇怪字符和包含特定特殊字符，如换行符、Line Feed 符等。通过像这样提供垃圾数据给应用程序，您可能能够检测到意外的行为并发现新的漏洞类别！

You can use bash scripts, which you learned about in Chapter 5 , to automate the generation of random payloads. How would you generate a string of a random length that includes specific special characters? Hint: you can use a for loop or the file /dev/random on Unix systems.

你可以使用在第五章学习的 Bash 脚本来自动化生成随机载荷。你怎样能够生成一个包含特定特殊字符的随机长度字符串？提示：你可以使用 for 循环或 Unix 系统上的 /dev/random 文件。

Step 3: Fuzz

Next, systematically feed your payload list to the data entry points of the application. There are several ways of doing this, depending on your needs and programming skills. The simplest way to automate fuzzing is to use the Burp intruder ( Figure 25-1 ). The intruder offers a fuzzer with a graphical user interface (GUI) that seamlessly integrates with your Burp proxy. Whenever you encounter a request you’d like to fuzz, you can right-click it and choose Send to Intruder .

接下来，按照系统化的方式，将有效负载列表输入到应用程序的数据录入点。根据您的需求和编程技能，有多种方法可供选择。自动化模糊测试最简单的方法是使用 Burp 接收器（图 25-1）。该接收器提供了一个带有图形用户界面（GUI）的模糊测试器，可与您的 Burp 代理无缝集成。每当您遇到想要模糊的请求时，可以右键单击它并选择发送到接收器。

In the Intruder tab, you can configure your fuzzer settings, select your data injection points and payload list, and start fuzzing. To add a part of the request as a data injection point, highlight the portion of the request and click Add on the right side of the window.

在侵入者选项卡中，您可以配置您的 Fuzzer 设置，选择您的数据注入点和有效载荷列表，然后开始 Fuzzing。要将请求的一部分添加为数据注入点，请突出显示请求的部分，然后单击窗口右侧的添加按钮。

Figure 25-1 : The Burp intruder payload position selection

图 25-1：Burp Intruder 负载位置选择

Then either select a predefined list of payloads or generate payload lists in the Payloads tab ( Figure 25-2 ). For example, you could generate list of numbers or randomly generated alphanumeric strings.

然后在有效载荷选项卡（图 25-2）中选择预定义的有效载荷列表或生成有效载荷列表。例如，您可以生成数字列表或随机生成的字母数字字符串。

Figure 25-2 : Selecting the payload list in Burp intruder

图 25-2：在 Burp Intruder 中选择有效载荷列表。

Burp intruder is easy to use, but it has a downside: the free version of Burp limits the fuzzer’s functionality, and time-throttles its attacks, meaning that it slows your fuzzing and limits the number of requests you can send over a certain period of time. You’ll be able to send only a certain number of requests per minute, making the intruder a lot less efficient than a non-time-throttled fuzzer. Unless you need a GUI or have the professional version of Burp, you’re better off using an open source fuzzer like OWASP ZAP’s fuzzer or Wfuzz. You’ll learn how to fuzz a target with Wfuzz in “Fuzzing with Wfuzz” later on this page .

Burp Intruder 易于使用，但它有一个缺点：Burp 的免费版本限制了模糊测试器的功能，并通过限制时间来限制其攻击性，这意味着它会减慢您的模糊测试效率并限制您可以在一定时间内发送的请求数量。您每分钟只能发送一定数量的请求，使得 Burp Intruder 比非时间限制的模糊测试器更不有效率。除非您需要图形用户界面或拥有 Burp 的专业版本，否则最好使用开源模糊测试器，如 OWASP ZAP 的模糊测试器或 Wfuzz。您将在本页“使用 Wfuzz 进行模糊测试”中学习如何使用 Wfuzz 进行模糊测试。

Note that sometimes throttling your fuzzers will be necessary to prevent disruption to the application’s operations. This shouldn’t be an issue for bigger companies, but you could accidentally launch a DoS attack on smaller companies without scaling architectures if you fuzz their applications without time throttling. Always use caution and obtain permission from the company when conducting fuzz testing!

请注意，有时候你需要限制你的 fuzzers 的速度，防止影响应用程序的运行。对于大型公司来说，这不应该是问题，但是如果你在没有时间限制的情况下对小型公司的应用程序进行 fuzz 测试，你可能会意外地发起 DoS 攻击。在进行 fuzz 测试时，始终要使用谨慎并获取公司的许可！

Step 4: Monitor the Results

Analyze the results your fuzzer returned, looking for patterns and anomalies in the server responses. What to look for depends on the payload set you used and the vulnerability you’re hoping to find. For example, when you’re using a fuzzer to find filepaths, status codes are a good indicator of whether a file is present. If the returned status code for a pathname is in the 200 range, you might have discovered a valid path. If the status code is 404, on the other hand, the filepath probably isn’t valid.

分析您的 fuzzer 返回的结果，查找服务器响应中的模式和异常。要查找什么取决于您使用的有效载荷集和要查找的漏洞。例如，当您使用 fuzzer 查找文件路径时，状态码是一个好的指标，可以判断文件是否存在。如果路径名的返回状态码在 200 范围内，可能发现了有效路径。另一方面，如果状态码为 404，则该文件路径可能无效。

When fuzzing for SQL injection, you might want to look for a change in response content length or time. If the returned content for a certain payload is longer than that of other payloads, it might indicate that your payload was able to influence the database’s operation and change what it returned. On the other hand, if you’re using a payload list that induces time delays in an application, check whether any of the payloads make the server respond more slowly than average. Use the knowledge you learned in this book to identify key indicators that a vulnerability is present.

在进行 SQL 注入技术时，您可能需要关注响应内容长度或时间的变化。如果某个有效载荷的返回内容比其他有效载荷更长，那么它可能表明您的有效载荷已经影响了数据库的操作并改变其返回内容。另一方面，如果您使用的有效载荷列表会在应用程序中引入时间延迟，请检查是否有任何有效载荷使服务器的响应比平均响应更慢。利用本书的知识来识别存在漏洞的关键指标。