With the HTTP Fuzzer tool in Acunetix WVS you can automatically send a large number / volume of HTTP Requests including invalid, unexpected and random data to a website, to test its input validation capabilities.  You would also be testing the web application’s also handling of unexpected data.

Creating a rule to automatically test a series of inputs

As an example, a rule will be created to test the products section of the Acunetix test website using a range of values to find out what products are listed in the database.  The scanner will be set to automatically replace the variable part of a URL with a series of values. In the URL, the last part?cat=1 is the variable part.

http://testphp.vulnweb.com/listproducts.php?cat=1

Note: The example in this manual is only meant to show the capabilities of the HTTP Fuzzer.  With this tool much more advanced tests can be done.

Gathering a HTTP Request

If a valid HTTP request is known, paste it in the ‘Request’ tab in the HTTP Fuzzer.  Else, load a saved scan or crawl, right click one of the files in the results tree and select ‘Export to HTTP Fuzzer’.

Creating data generators

First you must determine which part of the request will be used for fuzzing.  This value will be replaced by a data generator.  Below is a step by step procedure how to create a data generator;

1. Click on the ‘Add Generator’ button on the right part of the HTTP Fuzzer window.

2. Select the appropriate generator type from the drop-down list, which can be any of the below;

• Number generator – This will generate all range of numbers from a start number variable to a stop number variable, using the specified increment.
• Character generator - This will generate all the ASCII characters contained between a Start character variable and a Stop character variable using the specified increment.
• File generator – This will feed all the strings from a specified text file. In the file, each variable string should be entered on a new line.
• String generator – This will generate string combinations with the characters specified in the ‘Character set’ option and with the length specified in the ‘String Length’ option.
• Random string generator - This will generate a specified number of random strings with the characters specified in the ‘Character set’ option with the length configured in the option ‘String length’.
• Character repeater - This will repeat a specified character/string for a given number of times (commonly used for buffer overflow testing).

3. Once a generator is selected, set the parameters according to the test from the window underneath the generators list.

4. After configuring the generator(s), place the text cursor in the specific part of the HTTP Request where the generator will replace the static value. Highlight the static value (e.g. /artists.php?artist=1), and click on ‘Insert into Request’.  The static value will be replaced with the generator variable, e.g. /artists.php?artist=${artists_id}.

Creating Fuzzer Filters

Click on image to enlarge

To create a Fuzzer filter, click on the ‘Fuzzer Filters’ button in the toolbar to open the filters dialog. To use a predefined filter template, select the rule template from the dropdown list; otherwise custom filters can be created by defining the following parameters:

• Rule description – A name to describe the rule
• Rule Type – Select if the rule will be used to Include or Exclude the result returned because of the filter, or if it has to be logged in the ‘Activity Window’
• Apply To – Indicate where to search for the matching expression, if in the HTTP response headers, body or status code
• Regular expression – The regular expression or text which will be searched to match the rule.

Note: Ensure that the relevant checkboxes are ticked to enable the created filters.

Be Sociable, Share!

•