Tuesday, September 1, 2015

Website Fuzzing 101

You have a web application. You want to see if there are any buffer overflows, DoS, or other oddities or you're just interested in determining how good your developers are validating input. One possible way is SPIKE run out of a linux environment.

A spike script tells SPIKE what requests to send. In the example below I'm crafting an http request to send to a test web server, except that the query value will be fuzzed with a bunch of random data.
s_string("GET /?q=");
s-string(" HTTP/1.1\r\n");

Kick off SPIKE...
./generic_send_tcp TESTSERVER 80 ~/scriptfile.spk 0 0

And watch the requests fly out! Then take a look at your application logs and anytime the website crashed or generated scarey buffer overflow, null reference, database, or other errors. ... make sure to review that part of the code and patch your code so that it handles the fuzz data in a more proper manner. Your website should be able to gracefully handle any data thrown at it.
Might be good to tail the apache access logs...
tail -f /var/log/apache2/access.log

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment