Getting Started with the Acunetix HTTP Fuzzer

The HTTP Fuzzer is one of the tools among the Acunetix Manual Tools suite (available to download for free). The HTTP Fuzzer is a tool which allows you to automatically send a large number of HTTP requests including invalid, unexpected and random data to a website, to test input validation and rate-limiting.

You can start using the HTTP Fuzzer by launching the Acunetix Tools application, and selecting the HTTP Fuzzer from the Tools Explorer.

HTTP Fuzzer

The HTTP Fuzzer is split into two tabs — Requests and Results. The Requests tab provides a space to construct the HTTP Request to be repeated while the Results tab allows you to view the HTTP Responses for each request that was sent.

Using Generators

To start sending requests, you need to start off with an HTTP request that you already have (you may wish to use the HTTP Sniffer to capture requests which may then be used by the HTTP Fuzzer). You then need to identify one or more portions of the HTTP request which will be changed every time the HTTP Fuzzer sends a request.

You can specify these portions of the request by using Generators. A Generator is a rule that generates some random, sequential or pattern data which gets inserted into the HTTP request. You may have multiple generators in a single HTTP request.

Generators are listed on the right-hand side pane. You can create a Generator by clicking Add Generator. You may then insert the Generator you created into the request either by dragging and dropping it into the request, or by clicking the Insert into Request button.

HTTP fuzzer

The following are the generators that can be used in the HTTP Fuzzer.

  • Number generator – Generate all the numbers from a Start number to a Stop number using a specified Increment and Encoding
  • Character generator – Generate all the ASCII characters contained between Start character and Stop character using a specified Increment and Encoding
  • File generator – Feed all strings line-by-line from a specified file using a specified File-type and Encoding.
  • String generator – Generate all strings combinations of a given length with characters from a specified Character-set and Encoding
  • Random string generator – Generate a specified number of random strings of a given length with characters from a specified Character-set and Encoding
  • Character repeater generator – Repeat a specified character or string for a given number of times; useful for testing for buffer overflows

To fuzz the request click on the Start button.

HTTP fuzzer

Upon clicking the Start button you will be taken to the Results tab, where the HTTP Fuzzer will start fuzzing requests based on the Generators configured in the request.

HTTP fuzzer tool

A response for each request sent by the fuzzer will be displayed in the Results tab. Clicking a request in the top pane of the Results tab will show the corresponding information in the bottom pane, including the HTTP request and response that was sent to the server and a view of the page as it appears in the browser.

Using Fuzzer Filters

The Acunetix HTTP Fuzzer can also be configured to filter HTTP responses that satisfy a specific pattern. This is useful if you wish to narrow down your search to specific responses that match a regular expression.

fuzzer filters

In the HTTP Sniffer toolbar, click on the Fuzzer Filters button to launch the Fuzzer Filters window. This will list a number of pre-configured Fuzzer Filters. You can use these pre-configured rules as templates to create your own rules.

Select a filter rule template, for example, Invalid username/password combination. This will load up a pre-configured filter which you can edit. Alternatively you can create a new filter by first entering a description for the rule and configuring the rule to do one of the following actions.

  • Include – Configure which HTTP responses should be included
  • Exclude – Configure which HTTP responses should excluded
  • Log – Configure which HTTP responses should be logged in the Activity Window.

You must also set to which part of the response the rule applies from the following.

  • Response
  • Response headers
  • Response body
  • Response status code

The filter needs a PCRE regular expression on which to match. You can also use data obtained from the regular expression capture groups inside of the log string using the regular expression’s numbered capturing groups.

Once the new filter is ready, click on the Add… button to save the new filter. This will add the filter and automatically enable it.

Click the OK button to return to the HTTP Fuzzer dialog.

When an HTTP response matches a filter the HTTP Fuzzer will include, exclude or log (depending on what you set the Rule Type to) that response.

Exporting to the HTTP Editor

If you want to edit a HTTP request manually, right-click on a request in the Results tab and select Edit with HTTP Editor.

Acunetix is an automated web application security scanner and vulnerability management platform. In addition, Acunetix also provides a suite of manual pentesting tools that allow users to quickly and easily confirm vulnerabilities and take take automated testing further.

Share this post

Leave a Reply

Your email address will not be published.