====== BBC Ch 25: Automated Vulnerability Discovery / Fuzzing ======
//Source: Bug Bounty Bootcamp by Vickie Li//
Top bug bounty hunters automate the majority of their workflow: continuous recon, automated scanning, and immediate verification when a potential vulnerability is flagged. Fuzzing (fuzz testing) drives a large share of new CVE discoveries and is equally applicable to web applications.
===== What Is Fuzzing? =====
Fuzzing is the process of sending a wide range of invalid and unexpected data to an application and monitoring it for exceptions. The goal is to induce unexpected behavior (crashes, errors, unexpected output) and determine whether it is exploitable.
Web application fuzzing targets common injection points to expose vulnerabilities like XSS, SQL injection, IDORs, open redirects, and authentication bypass -- without requiring source code access.
===== How a Web Fuzzer Works =====
A web fuzzer replaces marked injection points in requests with strings from a wordlist, fires the requests, and tracks server responses. Wfuzz uses the keyword ''FUZZ'' as the injection point marker:
wfuzz -w wordlist.txt http://example.com/FUZZ
This generates one request per wordlist entry, substituting ''FUZZ'' with each string.
===== The 4-Step Fuzzing Process =====
==== Step 1: Determine Data Injection Points ====
Identify all locations where user input enters the application: URL path segments, query parameters, POST body parameters, HTTP headers, cookies.
Classify injection points by likely vulnerability:
# IDOR candidates -- numeric IDs
GET /email_inbox?user_id=FUZZ
POST /delete_user (body: user_id=FUZZ)
# XSS candidates -- search/display fields
GET /search?q=FUZZ
POST /send_email (body: title=FUZZ&body=FUZZ)
==== Step 2: Choose the Payload List ====
Match the wordlist to the vulnerability type:
* **Path enumeration:** directory wordlists (SecLists ''Discovery/Web-Content/'')
* **IDOR/ID fuzzing:** numeric ranges (1-10000)
* **XSS:** XSS payload lists (SecLists ''Fuzzing/XSS/'')
* **SQLi:** SQL injection wordlists (SecLists ''Fuzzing/SQLi/'')
* **Auth brute-force:** credential lists (SecLists ''Passwords/'')
Recommended resources:
* SecLists: https://github.com/danielmiessler/SecLists/
* Big List of Naughty Strings: https://github.com/minimaxir/big-list-of-naughty-strings/
* FuzzDB: https://github.com/fuzzdb-project/fuzzdb/
Also try randomly generated payloads -- extremely long strings, mixed encodings, special characters (newline, null byte, line feed) -- to provoke unexpected behavior and discover new vulnerability classes.
==== Step 3: Fuzz ====
**Burp Intruder** (GUI, integrated with Burp proxy):
- Right-click any intercepted request -> "Send to Intruder"
- Highlight injection points; click "Add"
- Configure payload list in the Payloads tab
- Note: free Burp throttles requests per minute; use Wfuzz for faster results
**Wfuzz** (CLI, unrestricted):
pip install wfuzz
Common Wfuzz commands:
Path enumeration (hide 404s, follow redirects):
wfuzz -w wordlist.txt -f output.txt --hc 404 --follow http://example.com/FUZZ
IDOR scanning:
wfuzz -w ids.txt http://example.com/view_inbox?user_id=FUZZ
HTTP Basic auth brute-force (single wordlist):
wfuzz -w wordlist.txt -H "Authorization: Basic FUZZ" http://example.com/admin
HTTP Basic auth brute-force (username + password lists):
wfuzz -w usernames.txt -w passwords.txt --basic FUZZ:FUZ2Z http://example.com/admin
Open redirect testing (verbose + follow to detect redirects):
wfuzz -w wordlist.txt -v --follow http://example.com?redirect=FUZZ
XSS reflection detection (filter for reflected payloads):
wfuzz -w xss.txt --filter "content~FUZZ" http://example.com/search?q=FUZZ
SQLi via POST body:
wfuzz -w sqli.txt -d "user_id=FUZZ" http://example.com/get_user
==== Step 4: Monitor Results ====
Interpret responses based on the vulnerability type being tested:
^ Vulnerability ^ What to look for ^
| Path enum | 200 status = valid path; 404 = not found |
| IDOR | 200 with content vs 403/404; response length differences |
| SQLi | Response time spike (time-based), length increase (data extracted), status code change |
| XSS | Payload reflected in response (use ''content~FUZZ'' filter) |
| Open redirect | Redirect to your domain (use ''--follow -v'') |
Think of fuzzing as a metal detector -- it finds suspicious spots; you inspect them manually to confirm and assess impact.
===== Fuzzing vs. Static Analysis =====
^ | Static Analysis | Fuzzing |
^ Source code required | Yes | No |
^ Tests live behavior | No | Yes |
^ Finds logic errors | Yes | Rarely |
^ Finds injection bugs | Yes | Yes |
^ Black-box friendly | No | Yes |
Use both: static analysis when source is available, fuzzing for black-box targets. Neither replaces manual testing for business logic errors and multi-step vulnerabilities.
===== Pitfalls =====
* **Rate limiting:** the server may throttle or ban your IP; use ''--delay'' in Wfuzz when necessary; always obtain permission before heavy fuzzing
* **Limited impact assessment:** without source code, classifying a bug's severity requires additional manual testing
* **Misses logic errors:** fuzzing won't catch business logic bugs or vulnerabilities requiring multiple coordinated steps
* **False positives:** always manually verify each anomaly before reporting
===== Building Your Toolkit =====
* Read the documentation and source code of every tool you add (Wfuzz, Sublist3r, etc.)
* Understanding how tools work teaches you how to write your own
* Modify open source tools to add features; contribute back if useful
* Automate recon and basic scanning; spend manual time on logic and chaining
===== 4-Step Checklist =====
- Identify all data injection points in the target; classify each by likely vulnerability.
- Select appropriate payload wordlists (SecLists, FuzzDB) for each injection type.
- Run Wfuzz against each injection point with the matching payload list; throttle if necessary to avoid disruption.
- Analyze results for status code, response length, and response time anomalies; manually verify each candidate before reporting.