Fuzzing with Webscarab

Let’s say that you have been asked by Abcxyz Inc to test their HR web portal. You decide to use fuzzing to check for easily guessable user IDs and passwords. You have collected a list of possible user names and a password dictionary has also been shortlisted by you.

 

 

We will today see how to use Webscarab to facilitate this fuzzing.

 

Start webscarab (see Webscarab – A beginner’s guide). Set it as the proxy and visit the HR portal’s login page. Here try to login with any credential. In the summary tag, choose that conversation where the user ID and password was sent to the web application. Right click on the conversation and click on ‘Use as fuzz template’.

 

Now, go to the Fuzzer tab of Webscarab which looks like this:

 

The fuzz template
The fuzz template

 

Now, click on the ‘sources’ button to select the lists for user ID & password. Here, give a name to be associated with the list of usernames & passwords and click on ‘browse’ to select the file.

 

Add source file for passwords
Add source file for passwords

 

Add source file for username
Add source file for username

 

Back in the main webscarab window, in the Fuzz source column, click against username. A dropdown of available fuzz sources will be displayed. Click on the appropriate list.

 

Set the fuzz sources
Set the fuzz sources

 

Since we are planning to fuzz on 2 fields, we need to set the ‘priority’. The field with the lesser priority number attached to it will be fuzzed first. So, we could choose priority 0 for passwords and priority 1 for usernames. This is a very important step. The number of requests that will be sent to the application is shown on the left above the bottom frame.

 

Now, click on the ‘Start’ button. You will see the fuzzed requests being sent and the count of number of request sent being updated. Click on the first fuzzed conversation in the bottom frame of the fuzzer.

 

The first fuzzed request
The first fuzzed request

 

You can see the credentials passed to the web application. The response can also be seen at the bottom. The response shows that the credentials provided are not correct.

 

Click on the ‘next’ conversation. As you keep going through the conversations, you notice that one of them has a different response from the server. The application has logged you in.

 

Correct credentials - Logged in
Correct credentials - Logged in

 

We have seen how to use the fuzzer in Webscarab. You could use the same process to check for SQL injection vulnerabilities and XSS vulnerabilities.

 

Searching through the responses generated is also a fairly time consuming process. The search plugin in Webscarab can be used to make this process simpler. That would probably be another blog sometime in the future.

 

Comments are closed.