Scribd
Upload
13 views32 pages

Новиков (Practical fuzzing for modern web and APIs)

The document outlines the importance of web application security as a process rather than just software, emphasizing the need for continuous integration and testing. It discusses various fuzzing techniques and attack vectors, providing examples of how to exploit vulnerabilities in applications. Additionally, it highlights the tools and methods for effective fuzzing and the challenges in analyzing results from security scans.

Uploaded by

Mery Chungara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views32 pages

Новиков (Practical fuzzing for modern web and APIs)

The document outlines the importance of web application security as a process rather than just software, emphasizing the need for continuous integration and testing. It discusses various fuzzing techniques and attack vectors, providing examples of how to exploit vulnerabilities in applications. Additionally, it highlights the tools and methods for effective fuzzing and the challenges in analyzing results from security scans.

Uploaded by

Mery Chungara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

200+ security audits

since 2009

$1M total bug bounties


and rewards

20+ application
security researches
What is an
application?
Application is
not a
software
What the application is?

Web application is not software


Business It’s a process:
business->coding->testing->release->business

It’s impossible to secure process by using software


coding release
Web application security is a process

CI/CD DevOps SecOps


testing
What the security is?

Business

security

coding release

testing
Information
security
WHERE and WHAT

Send the HTTP request with the payload inside

Where should you put the payload?

What is the payload?


WHERE. The coverage problem

Crawling - the worst part of the scanning

Units/regressions/functional coverage

DPI: JSON, XML, Base64, GZIP, matryoshkas

Custom encodings/encryption

Application logic understanding. Models other than


request-response
WHAT. Attack vectors

Known vectors - vulnerability scanners

Unexpected data/random/anything - fuzzers

New vulnerabilities = new payloads

Input validation - payloads

Behaviors and logic issues - ???


What is the difference?

Fuzzing
payloads
Vuln.
scanners
payloads
How to fuzz?

1. Methods scrapping (/user/debug, SET / HTTP/1.1, etc)


2. Type miscasting ({"login":true})
3. Last byte modification: ?username=admi%00
4. Random byte modification: ?username=ad%00in
5. Add payload to the end: ?username=admin%27
6. Parameters from other requests (password to logout)
7. Numbers increasing/decreasing:
/user/100001/status
8. Filenames by fuzz.txt (check Github)
Fuzzing optimizations for lists

You need to know your data contexts first. And then:

● Machine learning (everything you can from HMM to


RNN)
● Linguistic patterns (verbs and nouns)
● Templates (RegExp, syllable)

http://pdev.org.uk/#browse?q=;f=A
Example 1. 1-byte fuzzer

?ref=http://aaa/%00aaaaaaaaaaaaaaaaaaaaa

memory corruption inside of the Nginx module. Random


memory reading (heartbleed analogue)

https://bugfuzz.com/vulns/nginx-mem.txt
Example 2. 1-byte fuzzer

{"method":"test%26method%3ddeleteUser"}

SSRF inside the URL string to the backend API

727 call('/api/?method='+$data)

GET /api/?method=test&method=deleteUser

HOST internal.api.host
Example 3. 1-byte fuzzer

<Image><![CDATA[http://test.com\n

rm -rf / ;]]></Image>

RCE by newline injection

Also, Yandex RCE (2014) Re: [Ticket#13111203410381979]


Market feedparser - yet another RCE (#3) in python

Does not covered by standard payloads such as: `id`


$((id)) |id|
Example 4. 1-byte fuzzer

https://research.facebook.com/search?q=a%20
HTTP 200

https://research.facebook.com/search?q=a%22
HTTP 500

$1000 reward for injection into JSON to ElasticSearch

But it might be RCE...


Example 5. 1-byte fuzzer

GET / HTTP/1.1

COOKIE: sessionid=a8cf5d724a7f56e490cab37%0a

Newline byte is a trigger for server timeout 504

%0aset+key+0+1+3600+10%0a1234567890%0a

https://www.blackhat.com/docs/us-14/materials/us-14-Novi
kov-The-New-Page-Of-Injections-Book-Memcached-Injectio
ns-WP.pdf
Example 6. List-based fuzzer
Example 7. List-based fuzzer

SET /user/data HTTP/1.1

Host: api.test.com
HTTP non-CRUD methods, CRUD
aliases and WebDAVish things
● SET
● REMOVE (instead of DELETE, I don’t know why)
● DEBUG
● TRACK
● FORWARD
● MOVE
● INFO

How to find? Just run fuzzing by all the verbs list


Example 8. Fuzzing nouns

https://github.com/wallarm/fast-detects/blob/master/spring-
cloud-infoleaks.yaml also related to Jolokia by Artsploit
(Veracode) CVE-2019-xxx

POST /endpoint/env HTTP/1.1


Example 9. Type casting

POST /user/login HTTP/1.1

HOST: api.somethings.com

{"token":true, ...}
Example 10. Type casting

PUT /api/v1/user HTTP/1.1

Content-Type: application/json

PUT /api/v1/user HTTP/1.1

Content-Type: application/xml
H4ckers points of view on API
requests

GET /user/7456438/add HTTP/1.1

<VERB> <DLM><NOUN><DLM><IDN><DLM><VERB> HTTP/1.1


Analysing the results

Scanners produce vulnerabilities and false positives

Fuzzers produce abnormalities

How to analyze this data? Who will do this work?


Collaborating/integration problem

Testing policy examples

● No 5xx errors
● No 1+ms response
Tools for fuzzing

Universal tools

● Burp suite (portswigger)


● ZAProxy
● FAST https://fast.wallarm.com

Custom tools

● https://github.com/asmyczek/popcorn (for JSON)


● https://github.com/krypt/FuzzBert (for Ruby)

Own tools
Unit
Fuzzing for the continuous
tests security
Collect all the requests by unit/manual tests

Proxy Fuzzy
Apply all the fuzzing policies
requests generated
collector tests
Generating x10’000 new unit tests by fuzzing

Run all of them

Staging Apply the rules to proof is this release ready or not


environment
! We are looking for early adopters
Thanks!

@d0znpp Fb/Tg/Twi/Medium
https://blog.wallarm.com
[email protected]

You might also like