eb application fuzzing is a method of detecting a web application's vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application's security posture. Users also can apply fuzzing to perform tests on several different attack vectors such as SQL, XPATH, and LDAP injection, and error handling.
This article introduces web application fuzzing, using Ruby code to show how it works and demonstrate how to implement it. This example code can serve as a starting point for a framework; you can build advanced fuzzing software on top of it. Specifically, by completing the article, you will learn the following:
- Web fuzzing techniques with HTTP requests
- How to use a Ruby fuzzing framework
- How to leverage interactive Ruby (irb) for web fuzzing
- How to script the objects in Ruby for fuzzing
- How to detect vulnerabilities with fuzzing
Web Fuzzing Overview
Web application fuzzing (or fault injection) is a technique in which different sets of unexpected values are passed to the application as input and the behavior of the application is measured using the responses. Web fuzzing is done over HTTP or HTTPS with a clear set of objectives. It can disclose vulnerabilities associated with web servers, application servers, or web application code.
The HTTP protocol has two sections: header and data buffer. Header information contains pairs of attributes and values (Cookie, Referrer, Host, etc.) along with method, URI, and protocol version parameters. The data buffer is a part of the POST request where information is passed to the application with specific "Content-Length". Each of these values and parameters can be fuzzed with different sets of values, such as the following:
- Data type fuzzingpass integer, string, float, etc.
- Fuzzing with different buffer sizes
- Metacharacter fuzzingpassing values such as double quotes, #, $, etc.
- Vulnerability-specific signaturestesting for SQL, XPATH, XQuery, XSS injections
- Fuzzing with bruteforced credentialsuser and password values can be bruteforced
- Fuzzing with different coding standards
Depending on logic and implementation, any one of these fuzz loads would hit various parts of the web server, application server, database, and application code. Vulnerabilities can then be detected by inspecting the response received. A response may even contain the signatures of the server components, if any of the components are vulnerable.
All approaches for assessing the security of web applications can be divided into two categories: black box and white box. Black box assessment is done with "zero knowledge", whereas white box assessment is done with complete access to source code and deployment settings. Effective fuzzing can lead to vulnerability detection using a black box approach.