The HTTP Fuzzer is one of the tools in the Acunetix Manual Tools suite designed to let you manually test for security issues. The Acunetix Manual Tools Suite is a set of tools for black-box testing and application security information gathering. These security vulnerability testing tools are free for commercial use but they are not open-source. Note that the tools are GUI only (no command-line options) and available only for Windows (no Linux version).

The HTTP Fuzzer is a fuzzing framework that allows you to automatically send a large number of HTTP requests to a web application including invalid, unexpected, and random data. The goal is to test input validation and web server rate limiting.

You can start fuzz testing using the HTTP Fuzzer by launching the Acunetix Tools application and selecting HTTP Fuzzer from the Tools Explorer.

HTTP Fuzzer

The HTTP Fuzzer is split into two tabs — Requests and Results. The Requests tab provides a space to construct the HTTP request to be repeated while the Results tab allows you to view HTTP responses for each request that was sent.

Using Generators

To start sending requests, you need to start off with an HTTP request that you already have (you may wish to use the HTTP Sniffer to capture requests, which may then be used by the HTTP Fuzzer). You then need to identify one or more portions of the HTTP request which will be changed every time the HTTP Fuzzer sends a request.

You can specify these portions of the request by using generators. A generator is a rule that generates some random, sequential, or pattern data, which gets inserted into the HTTP request. You may have multiple generators in a single HTTP request.

Generators are listed on the right-hand side. You can create a generator by clicking Add Generator. You may then insert the generator that you created into the request either by dragging and dropping it into the request or by clicking the Insert into Request button.

HTTP fuzzer

The following are the generators that can be used in the fuzzing engine:

  • Number generator – Generate all the numbers from a Start number to a Stop number using a specified Increment and Encoding.
  • Character generator – Generate all the ASCII characters contained between Start character and Stop character using a specified Increment and Encoding.
  • File generator – Feed all strings line-by-line from a specified file using a specified File-type and Encoding.
  • String generator – Generate all strings combinations of a given length with characters from a specified Character-set and Encoding.
  • Random string generator – Generate a specified number of random strings of a given length with characters from a specified Character-set and Encoding.
  • Character repeater generator – Repeat a specified character or string enough times; useful for testing for security problems such as buffer overflows.

To fuzz the request, click on the Start button.

HTTP fuzzer

Upon clicking on the Start button you will be taken to the Results tab, where the fuzzing tools will start fuzzing requests based on the generators configured in the request.

HTTP fuzzer tool

For each request sent by the fuzzer, a response will be displayed in the Results tab. Clicking a request in the top pane of the Results tab will show corresponding information in the bottom pane, including the HTTP request and response and a view of the page as it appears in the browser.

Using Fuzzer Filters

The Acunetix web fuzzer can also be configured to filter HTTP responses that satisfy a specific pattern. This is useful if you wish to narrow down your search to specific responses that match a regular expression.

fuzzer filters

In the HTTP Sniffer toolbar, click on the Fuzzer Filters button to launch the Fuzzer Filters window. This will list a number of pre-configured Fuzzer Filters. You can use these pre-configured rules as templates to create your own rules.

Select a filter rule template, for example, Invalid username/password combination. This will load up a pre-configured filter which you can edit. Alternatively, you can create a new filter by first entering a description for the rule and configuring the rule to do one of the following actions.

  • Include – Configure which HTTP responses should be included.
  • Exclude – Configure which HTTP responses should be excluded.
  • Log – Configure which HTTP responses should be logged in the Activity Window.

You must also set the part of the response to which the rule applies:

  • Response
  • Response headers
  • Response body
  • Response status code

The filter needs a PCRE regular expression on which to match. You can also use data obtained from the regular expression capture groups inside of the log string using the regular expression numbered capturing groups.

Once the new filter is ready, click on the Add button to save the new filter. This will add the filter and automatically enable it. Click the OK button to return to the HTTP Fuzzer dialog.

When an HTTP response matches a filter, the HTTP Fuzzer will include, exclude, or log (depending on the Rule Type) that response.

Exporting to the HTTP Editor

If you want to edit an HTTP request manually, right-click on a request in the Results tab and select Edit with HTTP Editor.

Acunetix is an automated web application security scanner and vulnerability management platform. In addition, Acunetix also provides a suite of manual pentesting tools that allow users to quickly and easily confirm vulnerabilities and take take automated testing further.

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.