Bug bounty hunters are increasingly relying on automation to streamline the web vulnerability reporting process, according to Vickie Li, ethical hacker, author, and security engineer. In fact, Li noted in her book, Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities, that automated fuzzing was responsible for a majority of new entries in the CVE catalog. Fuzzing is a method that involves feeding an application unexpected and invalid data in order to force errors and exceptions that might reveal a bug. Fuzz testing can be used to target common web vulnerabilities.
In a recent excerpt from Chapter 25, Li provides a step-by-step process for using Wfuzz, which is an open-source fuzzer, to search for bugs in web applications. Wfuzz can be installed by using the command: $ pip install wfuzz
Fuzzing can be useful during the recon and hunting phases. During the recon phase, Wfuzz can be used to enumerate file paths on a server. For instance, a command can be used to enumerate file paths on example.com:
$ wfuzz -w wordlist.txt -f output.txt –hc 404 –follow http://example.com/FUZZ
The -w flag option indicates the wordlist to use for enumeration. In this case, it is important to select a path enumeration wordlist that is tailored to the technology used by the target. The -f flag specifies the output file location, and the –hc 404 option instructs Wfuzz to exclude any response that contains a 404 status code. With this filter, the user can eliminate URLs that do not point to a valid file or directory from the results list.
During the recon phase, a simple wordlist can be used to enumerate possible paths on Facebook:
$ wfuzz -w wordlist.txt -f output.txt –hc 404 –follow http://facebook.com/FUZZ
In this instance, the results displayed only one response, as irrelevant results were filtered out. Based on these results, it appears that ‘/secure’ returned a 200 OK status code and is a valid path on Facebook.
Once valid filepaths have been established on the target, it is possible that some pages are protected, resulting in a 403 Forbidden response code. In such cases, Wfuzz can be used to brute-force page authentication. For instance, if pages use basic authentication as a means of access control, Wfuzz can be used to fuzz the authentication headers with the -H flag, with custom headers specified as follows:
$ wfuzz -w wordlist.txt -H “Authorization: Basic FUZZ” http://example.com/admin
The basic authentication scheme uses the Authorization header to transfer credentials as base64-encoded strings of username and password pairs. By using a script, the user can generate authentication strings from commonly used username and password pairs, then feed them to the target with Wfuzz.
Wfuzz can also be used to automatically test for common web vulnerabilities. One approach to this testing is to fuzz URL parameters and test for vulnerabilities such as IDOR (Insecure Direct Object References) and open redirects. URLs can be fuzzed using a FUZZ keyword, as in the example command below, which would be used to test various IDs for a site that uses a numeric ID for chat messages:
$ wfuzz -w wordlist.txt http://example.com/view_message?message_id=FUZZ
Wfuzz also has more advanced options and filters. When used properly, it can automate much of the bug hunting and reporting process.