Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Detect Your Web Application's Vulnerabilities Early with Ruby : Page 3

Web application fuzzing enables you to detect a web application's vulnerabilities prior to deploying it on a production system.

Fuzz Class
Figure 2 shows the methods for the Fuzz class:
  • target= — This method sets the Fuzz target. You can set it as "t".
  • payload — This method shows the @payload variable that stores the fuzz load.
  • loadfile — This method takes the fuzz load from a defined file and sets it to @payload.
  • run — This method runs fuzzing against the target.
  • result — This method gives a handler to the instance variable @result, which contains an array of final results.

Click to enlarge

Figure 2. RDoc View for Fuzz Class

Let's look at the code and its execution in detail. First you need to create an instance of Fuzz:

>> fuzz = Fuzz.new => #<Fuzz:0x2bdc3cc @target=#<Target:0x2bdc37c @port="", @ip="", @response="", @ request="">, @result=[], @payload=[]> >>

Fuzz constructor code would look like this:

# File webfuzz.rb, line 50 def initialize() @payload = [] @result = [] @target = Target.new() end

You are creating two arrays here: @payload for fuzz payload and @result for storing all fuzz results. You also have defined @target, which has an instance of a Target class.

Once you define an instance of the Fuzz class, you can assign a target to it as follows:

>> fuzz.target=t

Next, you need to set up fuzz load. For example, to fuzz the "id" parameter for SQL injection, you need to send it values such as single quote ('), double quote ("), 1+or+1=1, etc. You can read these from a file and pass them to the @payload variable by using the loadfile method as follows:

# File webfuzz.rb, line 60 def loadfile(file) File.open(file,'r') do |temp| while line = temp.gets @payload.push(line.chomp) end end end

Here, you are opening a file and filling up the @payload array with an iterator. Each line of the file will be taken as fuzz load and assigned to @payload. Say you have a sqlfuzz file. You can load it like this:

>> fuzz.loadfile("sqlfuzz") => nil >> fuzz.payload => ["'", "\"", "1+or+1=1", ""] >>

You have loaded three strings for fuzzing at this point, but you also can load a large file to run against the target.

Now let's look at the run method, which starts fuzzing against the target. The following code containing the run method takes the target and clones the instance using the clone method:

# File webfuzz.rb, line 68 def run @payload.each do |attack| temp = @target.clone temp.request = temp.request.sub("$fuzz$",attack) temp.send @result.push(temp) end end

Next, grab each element of the @payload array and replace it with $fuzz$, which you have passed in your request string. Now you are sending a request on the wire, the response is being stored in the instance's @response variable, and you are pushing "temp" into the result array. This will run in a loop until each element of @payload is sent on the wire with this command:


Once the loop finishes sending all the possible fuzz loads, you can access the results using the following:


Or access the response only with the following method:

>> fuzz.result[0].response => "HTTP/1.1 500 Internal Server Error\r\nServer: Microsoft-IIS/5.0\r\nDate: Thu , 28 Dec 2006 06:21:58 GMT\r\nX-Powered-By: ASP.NET\r\nConnection: Keep-Alive\r\ nContent-Length: 4531\r\nContent-Type: text/html\r\nExpires: Thu, 28 Dec 2006 06 :21:58 GMT\r\nSet-Cookie: ASPSESSIONIDACBRRQTB=HCGJELKBPBGDPJOOGEHOPEOK; path=/\ r\nCache-control: private\r\n\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3. 2 Final//EN\">\r\n\r\n<html dir=ltr>\r\n\r\n<head>\r\n<style>\r\na:link\t\t\t{fo nt:8pt/11pt verdana; color:FF0000}\r\na:visited\t\t{font:8pt/11pt verdana; color…………

The preceding block shows a view of the entire set of requests and responses for the first request. Similarly, you can view all results. With this, you now have the result array with which you can play around and look for certain patterns that disclose possible SQL vulnerabilities.

For example, you can check for a specific regex pattern in all responses fetched from the target. To look for "odbc", for instance, you would use /odbc/i (case insensitive) to check against all responses with the following quick commands on irb:

>> i=0 => 0 >> while (i<fuzz.result.length) >> if(fuzz.result[i].response =~ /odbc/i) >> puts "SQL injection vulnerability at Index[#{i}]" >> end >> i += 1 >> end SQL injection vulnerability at Index[0] SQL injection vulnerability at Index[1] => nil >>

Indexes 0 and 1 have this vulnerability. Now you can investigate these two requests in detail and also remove from the array all instances that are not vulnerable.

Finally, you can use the dump method to write the entire fuzz block into a file. This way, you can leverage Ruby to do interactive fuzzing on irb.

You also can script the webfuzz.rb framework to run as follows:

require 'webfuzz' t = Target.new t.ip = "webshop.example.com" t.port = 80 t.request = "GET /dvds4less/details.asp?id=$fuzz$ HTTP/1.0\r\n\r\n" fuzz = Fuzz.new fuzz.target = t fuzz.loadfile("sqlfuzz") fuzz.run i=0 while (i<fuzz.result.length) if(fuzz.result[i].response =~ /odbc/i) puts "SQL injection vulnerability at Index[#{i}]" puts "Vulnerable request=>" puts fuzz.result[i].request end i += 1 end

Running this script produces the following result on the console:

D:\webfuzz> detail_fuzz.rb Loading the library ... Library loaded SQL injection vulnerability at Index[0] Vulnerable request=> GET /dvds4less/details.asp?id=' HTTP/1.0 SQL injection vulnerability at Index[1] Vulnerable request=> GET /dvds4less/details.asp?id=" HTTP/1.0

This way, you can detect vulnerabilities by fuzzing HTTP requests with different ranges of strings.

Detect Your Application's Insecure Behavior
Web fuzzing is an interesting and effective method for vulnerability detection. It can disclose an application's vulnerable behavior—behavior that developers may not expect or anticipate and that attackers can exploit. You can build large files with all possible fuzzing strings to send to targets and target any application component. This article briefly touched on the SQL injection vulnerability, but you can inject more strings into the file.

Shreeraj Shah, founder and director of Net-Square, is the co-author of Web Hacking: Attacks and Defense published by Addison Wesley. He has presented at conferences including HackInTheBox, RSA, Blackhat, Bellua, CII, and NASSCOM.
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.