need to do a GET before POST, fuzzing with BURP and WebScarab
A recent web application I was testing was generating a unique hidden token on every render of the login page (revealed in the pink section in the screenshot below by WebScarab).
I had setup a BURP intruder run to iterate through a list of attack strings when I noticed a few of the responses contained a message displaying “unable to verify session”.
That is when I checked for a hidden value, and when discovered, guessed it was a dynamic key identifying each individual form submit.
The fuzzers in WebScarab and BURP typically work by repeatedly POSTing to a web form, like the login form above, then capturing and/or analyzing each response. Commercial scanners do the same. Repeatedly POSTing fails to work in this case.
Screenshot showing BURP’s intruder and that I want to run a sniper attack (i.e. send one attack string at this position (red text below) per POST request).
Screenshot showing a few custom attack strings loaded into BURP
Screenshot showing the execution and results of an intruder attack (i.e. looping through the attack string list and submitting each via a POST request)
Screenshot showing WebScarab’s fuzzer setup.
The problem in this scenario is the hidden token is only good for one POST request. Maybe I missed it, but I didn’t see an easy way to tell WebScarab’s fuzzer or BURP’s intruder to first perform a GET request (so I can capture a valid one time token value) then submit a POST request. A few lines of Ruby along with the Mechanize library made for a simple work-around.
#!/usr/bin/ruby
require 'rubygems'
require 'mechanize'
agent = WWW::Mechanize.new
agent.set_proxy('localhost', '8008')
File.open("fuzzlist.txt") do |file|
file.each_line {|fuzz_string|
agent.get('http://target/signin') do |page|
form = page.forms.first
form.field_with(:name => 'data[user][email]').value = fuzz_string
form.field_with(:name => 'data[user][password]').value = fuzz_string
form.click_button
end
}
endI configured mechanize to use my preferred proxy (BURP). The script loops through the fuzzlist.txt file, performs a GET request (now we have a valid token), then submits the form. Problem solved.
