Short guide to "fuzzing" web applications.

 Here is my (very) short newbs guide to finding 0day exploits in web applications. I will explain in great detail my method of discovering vulnerabilities in new CMS, forums, and etc.
First off, this guide assumes you have a LAMP box on your local network for testing. If you are running Windows, I would suggest using a WAMP stack such as XAMPP or SpikeWAMP.

Now you need to find some new apps to scan. Go to sourceforge.net and search for some:

1. Advanced search
2. Under Project Categories, expand Internet, WWW/HTTP, then check Dynamic Content.
3. Set Start Date and End Date to today. or the previous day (sometimes I even find stuff for tomorrow!)
4. Set Exclude Projects without files.
5. Hit search.
6. Typically, I sort by downloads. Now grab a bunch of new apps.
7. Make sure you are getting LAMP/WAMP apps and not WAR/JAR files. I will cover tomcat scanning another day.
8. Install them to your LAMP (or WAMP) box and make sure you have the mysql db’s users, configs, file/folder permissions, etc all correctly configured.
9. *Optional* You may want to browse around through your new sites to find some unique identifiers to use as dorks for google.

Once you have several sites running, its time to start scanning. If you are a windows user, I can’t really give you a recommendation for which tools to use. I have never been satisfied with the results of the mainstream commercial vulnerability scanners such as Acunetix, or pretty much anything on http://sectools.org/web-scanners.html… although nikto does serve its purpose.

Here are two scanning tools that I will cover. PSA3 has a GUI and both produce HTML results for easy double checking.

http://packetstormsecurity.org/filedesc/PSA3.zip.html

http://developer.spikesource.com/projects/phpsecaudit/

There are about a million tools out there, I use these two with good results. PSA is good for a quick scan, but it’s generally more adept at finding XSS than anything else. Spike’s tool seems to find nearly everything wrong with the code, but typically finds a lot of false positives because of if/die “security” declarations in admin/include scripts.

Other options include Firefox addons, which are a good option because firefox is universal.

You can find 2 plugins for scanning XSS and SQL here:

http://www.securitycompass.com/exploitme.shtml

There is also Technika (they have not released the full framework yet)

http://www.gnucitizen.org/projects/technika/

Steps for PSA:

1. Firstly ensure that Register_Globals is On in php.ini
2. Copy psa to your htdocs root.
3. perl psa.pl
4. Test run.
5. If everything is good, click create shell then scan.

Once it is finished (be patient), it will display the results in the window.
You can open results.html in your htdocs folder to get clickable links to the exploits
Check each one to make sure that its not a false positive.
*Recommended* Google for a live site running the same software (or an older version) and test it.
*Optional* Send the bug to the devs

Steps for phpsecaudit:

1. Firstly this requires php 5, so if you’re using xampp make sure you have php 5 turned on (default)
2. Copy it somewhere
3. Open your terminal
4. php run.php –src /path/to/htdocs
5. Open output/index.html in your browser

Here you will see the errors that it found, you will have to check them by hand. (which i will hopefully go into detail about later)
This tool is very detailed and will probably show a metric fuckton of false positives, which a leading expert in this field recently described as extremely gay.
The main thing I look for with this tool is RFI, which is relatively easy to test.

Steps for XSS Me and SQL Me firefox plugins:

1. Browse to a page with a form.
2. Tools XSS Me or SQL Me > Open toolbar
3. Run All tests

On a cautionary note, XSS Me uses vbscript on the All tests. Linux doesn’t know wtf to do with that by default which causes firefox to fuck up… so don’t run full scan unless you are using windows.

Another good thing about these plugins is that its a real browser test, so there are going to be a lot fewer false positives (if any).

If you are up to it, here is a pretty big list of webfuzzers/scanners:

http://www.owasp.org/index.php/Phoenix/Tools

I’ll get around to testing them one day.

I hope this has been helpful to the newbs out there. Feel free to leave comments. 1337 D00dZ nonsense will be deleted