Research

We build genuine partnerships with our clients

• White Papers
  • Web Application Vulnerability Statistics 2010-2011
  • Assessing Cloud Node Security
  • Smartphones in the Enterprise
  • Clickjacking
• Tools
  • Clickjacking Tool
  • CAT
    • Why use CAT?
    • Key Components
    • Download
    • User Guide
      • Installation
      • Menu
      • Options
      • Log View
      • Repeater Panel
      • Proxy Panel
      • Fuzzer Panel
      • Log Panel
      • Auth Checker Panel
      • SSL Checker Panel
      • Notepad
      • Integrated Web Browser Panel
      • Addons
      • Additional Information
    • Addons
    • Mono
  • MBean Trojan
  • IIS7 Header Block
• Blog
  • Malware 2 - From Infection to Persistence
  • Server Technologies - HTTPS BEAST Attack
  • Malware - Dark Comet RAT
  • Server Technologies - Reverse Proxy Bypass
  • SAP Exploitation – Part 2
  • SAP Exploitation – Part 1
  • WebGL - More WebGL Security Flaws
  • WebGL - A New Dimension for Browser Exploitation
    • FAQ
  • Server Technologies - SSL2: Should it keep you awake at night?
  • SmartPhones - Can you Trust your USB Charger?
  • Malware 1 - From Exploit to Infection
  • Server Technologies - JBoss RMI Twiddling

The fuzzer is used to create multiple requests based on a templated request. This is altered for each fuzz case, and can be used for example to:

• Directory Brute Forcing
• Username Enumeration
• Password Brute Forcing
• Parameter Fuzzing
• Parameter Brute Forcing
• SQL Injection exploit crafting
• Blind SQL/LDAP/XPATH data extraction
• Boundary Condition Checking

Username Enumeration Fuzz Example

The classic examples are username enumeration and password brute forcing. Where a template of a login request is captured and then repeated with the username being altered on each request. The results are then filtered for usernames that are valid and then a second test fuzz with the valid usernames that have been discovered and a list of common passwords. The results from this are then filtered again to find which requests were successful. The CAT fuzzer has a great range of flexibility in terms of the types of fuzzing that can be performed. For this document the above example will be shown.

1. Using either a web browser + proxy, the integrated web browser or via the repeater. Find a request which differentiates valid users. Copy this request into the fuzzer using the same copy and paste technique mentioned previously.

2. Highlight the characters that are to be replaced

3. Select ‘Add Fuzz Point’ or F4. This results in the existing word being highlighted and a new tab being added for the setting for that fuzz point.

4. On the new tab ‘Options 1 test’ select ‘Word List’ as the fuzz type and then select a predefine list of words ‘Lots of Usernames’. (These predefined lists are by default in C:\Program Files\Context Information Security Ltd\CAT\WordLists, which can be manually modified).

5. On the Results tab press the right button to get the pop-up menu and Add Column->Contains String. In the popup box add the string which will indentify a valid username in the response text. This adds a column to the results which can be sorted showing which response contained the string that indentifies them as being valid. This feature can be used pre, post and during a fuzz test.

6. Press start on the fuzzer and the brute force will begin.

7. In the stats page it shows various information including the number of unique response size, hashes code, and ETA of the fuzz test.

8. By clicking on the header in the log tab the list is sorted by that column. By sorting by the ‘Contains String’ column the results with valid usernames will be shown together at the top.

9. To brute force the passwords, a tag is added as per step 3 for the username and the password on the login page.

10. The first tab is then populated with the valid usernames and the second has the predefined word list of ‘common passwords’ selected.

11. A column is added to the results to detect either successful login or unsuccessful. This is then set as the column to order the list by.

12. Start the fuzzer and successful authentications will be at the top of the list.

Fuzz Patterns

The fuzz pattern defines how the fuzz points and fuzz lists will be combined into the actual test cases. If there is a single fuzz point then all patterns result in the same requests. The difference is how many lists and how many resulting test cases are generated.

• A ‘brute force’ will do every item on the first list with every item on the second list etc. This is the classic username and password brute force e.g. Total Cases = L0 x L1 X L2 (L0 is the length of the first list etc.)
• ‘Single List’ is where, for each fuzz point, a global list is applied for each parameter in turn. This is normally used for fuzzing each parameter one by one by applying a pre-define list of fuzz characters. Total cases = L0 x No. Fuzz Points
• ‘Separate Lists’ will have a tab for each fuzz point. For each fuzz case an item from each of the lists will be taken. Total Cases = Min(L0,L1,L2)

Fuzz Types

• Word List – A list of words either entered manually, loaded from a file or pre-defined. The capitalisation can be altered.
• Brute Forcer – A range of characters where every permutation will be tested.
• Numeric – A range of numbers either hex or decimal.
• SQL Injection – Two tools for brute forcing the UNION SELECT length and types.
• Character Blocks – A string of increasing lengths from a base character(s). e.g. 10xA.
• Basic Authentication Brute Forcer – Performs a brute force against a HTTP basic Authentication web site.
• Request Token – Used for fuzzing forms that require a response from a specific request. Mainly used for CSRF tokens.
• Scripting – The scripting fuzz type allows for C# code to be used to generate the fuzz cases. See below for more details.

CSRF Token Fuzzing

Applications sometimes use a token within the form to detect if the form is being exploited by a Cross Site Request Forgery (CSRF) attack or if the user has resubmitted a form. There are other instances where an application might include a value which changes between form submissions. If this is the case fuzzing the form in the standard fashion is prevented. The CSRF token fuzz type allows for a request to the application to be made (e.g. get the form page) and a Regular Expression be applied to extract out the value needed for the actual form submission.

The following example shows this in action. First if the form has the following parameters for submission:

You can see that parameter ‘txtToken’ is a token that the server is checking on each submission. Therefore a request to the form is required to derive this value prior to fuzzing.

1. Select form submission request and pasted into fuzzer.
2. Select the token value and add a fuzz tag.
3. Select “Request token” fuzz case.
4. Paste in the GET request for the FORM.
5. Enter the RegEx for the extraction of the token value. In this case:

id="txtToken" value="(.*?)"

6. Test the request by pressing the ‘Test’ button. Check the value changes on each test.
7. Enter a second fuzz point for what requires fuzzing within the request.
8. Setup the fuzz case for this value.
9. Start the fuzzer. The token value is seen in a new column.

Scripting Fuzz Case Example

Where the fuzz case is more complex than a predefined setup a user can write custom code to generate each case. This code has full access to C# and can be used to talk to different systems, use encryption as well as complex algorithms. Examples of use are hardware token two factor authentication tokens, encrypted fuzz values, data required for a web service etc. The first basic example shows the fuzzing of numbers increasing by base 2 i.e. 2, 4, 8, 16.

The scripting fuzz case is added using a standard fuzz tag and then selecting fuzz type of ‘scripted’ This shows the following screen:

The first code box is the body of a method that returns the number of fuzz cases that will be generated. The lower box has the body of the method that will generate each fuzz case. The method takes a parameter of ‘i’ to indicate the fuzz case being requested. For the base2 example the following code would be required.

By pressing ‘validate’ the code is compiled and a number of cases tested. When the fuzz is now run these numbers are used.

For more advanced cases the ‘Advanced Code’ tab is used where the full class that is required is shown. For example if we wished to brute force a username that is XORed with 0xab in JavaScript, the following could be used:

© Copyright 2012 Context Information Security.

Main Navigation

• Home /
• Our Company /
• Security Solutions /
• Research /
• Media /
• Contact Us