🧙‍♂️
CoolerVoid tavern
  • Whoami
  • Hidden firewall in Kernel
  • Ghost in the file system
  • Detecting heap memory pitfalls
  • WAF from the scratch
  • 0d1n web fuzzing
  • Hacking on the TV remote control
  • Improve spam detection
  • Port knocking from the scratch
  • String comparison with SSE4.2
  • Arithmetic pitfalls and dragons
  • The magic of bits "Bitwise"
  • Library Application Firewall
  • Solitude & data structures
  • Nmap's CPE to nvd CVE
  • Audit operational system libs
  • Firefox tunnel
  • L33t Brazilian tools
  • 🤖Tricks
    • Linux tips
      • Restrict syscalls with seccomp
Powered by GitBook
On this page
  • The story tale
  • Tool features
  • Proof of concept
  • Performance
  • Tampering payloads to bypass WAF
  • Attack examples
  • Project Overview on cloc
  • Steps to Install and run
  • Reference

0d1n web fuzzing

Test web inputs to find anomalies

PreviousWAF from the scratchNextHacking on the TV remote control

Last updated 2 years ago

The story tale

Hello folks, today we are going into a story tale. Yes, my old tool with the proposal to test web application resources through web fuzzing. Thiswas written eight years ago when I worked in CONVISO application security. Web fuzzing is a technique used by security researchers to identify a website's or web application's vulnerabilities. It involves sending numerous random, unexpected, and potentially malicious inputs to a web application to make it crash or behave suddenly. This can help security researchers identify areas of the application that are susceptible to attack and can be used to develop more effective security measures.

To perform web fuzzing, a security researcher typically uses a specialized tool that can automatically generate and send large numbers of random inputs to the web application. The tool will then monitor the application's behaviour, looking for any signs of abnormal behaviour or vulnerabilities. If a vulnerability is found, the researcher can try to exploit it to gain access to sensitive information or disrupt the normal operation of the application.

Overall, web fuzzing is a valuable tool for security researchers, as it can help identify vulnerabilities in web applications before malicious actors exploit them.

Tool features

  • Brute force login and passwords in auth forms

  • Directory disclosure ( use PATH list to the brute, and find HTTP status code )

  • Test to find SQL Injection and XSS vulnerabilities

  • Test to find SSRF

  • Test to find Command injection

  • Options to load ANTI-CSRF token each request

  • Options to use random proxy per request

  • Options to use random useragent per request

  • Option for keep alive test (slowloris test)

  • Options to use techniques to bypass WAF

  • Option to load cookie-jar

  • Option to load full request from an external file

  • Option to up HTTPd to view report

  • Option to explore race conditions

Proof of concept

Performance

So to ignore the limit in the context of the request, users can use the argument "--race", which is a way to try to explore race conditions context. All right, but remember this can put applications at risk of denial of service.

Tampering payloads to bypass WAF

Attack examples

Brute force to find the directory

$ 0d1n --host http://127.0.0.1/^ --payloads /opt/0d1n/payloads/dir_brute.txt --threads 500 --timeout 3 --log bartsimpsom4 --save_response

Note: We can change the value of threads. If we have a good machine, we can try 800, 1200 each device has a different context.

For SQL injection attack

$ 0d1n --host 'http://site.com/view/1^/product/^/' --payloads /opt/0d1n/payloads/sqli_list.txt --find_string_list /opt/0d1n/payloads/sqli_str2find_list.txt --log log1337 --tamper randcase --threads 800 --timeout 3 --save_response\n"

Note: Tamper is a resource to try to bypass the web application firewall

To brute force auth system

0d1n --host 'http://site.com/auth.py' --post 'user=admin&password=^' --payloads /opt/0d1n/payloads/wordlist.txt --log log007 --threads 500 --timeout 3\n"

Note: if we have a csrf token, we can use argv to get this token for each request and brute.

Search SQLi in hard mode in login system with csrf token:

0d1n  --host "http://127.0.0.1/vulnerabilities/sqli/index.php?id=^" --payloads /opt/0d1n/payloads/sqli.txt --find_string_list /opt/0d1n/payloads/find_responses.txt --token_name user_token --log logtest_fibonaci49 --cookie_jar /home/user_name/cookies.txt --save_response --tamper randcase --threads 100

Note: Load the cookies jar from the browser and save in cookies.txt to load.

Project Overview on cloc

cooler@gentoo:~/codes$ cloc 0d1n/
     937 text files.
     532 unique files.                                          
     451 files ignored.

-------------------------------------------------------------------------------
Language                     files          blank        comment           code
-------------------------------------------------------------------------------
JavaScript                     361           9951          15621          52178
C                               51           4986           4967          26642
C/C++ Header                    30           1184           2858           4295
CSS                             10            434            369           2142
HTML                             7             59              0           1616
TeX                              2             52              4            206
Markdown                         3             81              0            137
make                             4             36              9            130
Bourne Shell                     2              0              0              4
-------------------------------------------------------------------------------
SUM:                           487          16835          23846          91213
-------------------------------------------------------------------------------

Steps to Install and run

Read the docs AND "README.MD", and help menu when we execute the "0d1n" binary.

Do we have any doubt? Please create an issue in this repository. Yes, the same path to suggest a new feature. I will be glad to create a new feature.

Thank you for reading.

Cheers!

Reference

Following the past eight years, many plugins for OWASP's ZAP proxy and Burp suite surged. But when we work by consulting and Pentest and app sec professional, we always see new challenges. So always, we can search to improve tools, insert more sharpness to our swords, and improve weapons to strong attacks to kill monsters in our course, such as bypassing

The 0d1n is written in C language and uses external libraries like and. Another fantastic point uses BSD's libc string functions in to improve security. This point with additional orthodox ontext. More details in the following:

with,

The following video is an example of how to use 0d1n to make a custom attack to get the csrf-token and load the cookie-jar file to send each attack following a custom request without any error in the application. The application, an excellent application to study and test attacks.

So to from the authenticated application. First, we need to browse in the authenticated system. The second step uses a ; yes, we need to export cookies to a text file, aka "cookie-jar". So with a cookie jar, we can pass that input to the argument "--cookie_jar". So this way, we can load our cookies in the current session and attack authenticated system.

So 0d1n is blazing fast, but we need to understand its full context; first, 0d1n writes each request and response in the log file. Yes, for investigation at the end of the analysis, this phase is essential based on the tool Burp suite approach of manual view. In the second step, the 0d1n creates an HTTPd service to read the result of logs and load each external JSON with data tables. So it is faster than async functions, following tools in golang or Rust, maybe yes, but 0d1n uses resources to break all potential because it can cause a denial of service in context if it sends a lot of requests same time, in the future we guess is a good idea an argument to custom wait time per request. This fact reminds me of a . The power in async sometimes makes tested servers fall. It's crazy but amazing, so remember 0d1n uses thread pool resource. Look here for an interesting comparison and benchmark

During years of study around web attacks, . So reading line by line of python code, anyone can learn very cool tricks, specially tamper tricks, to obfuscate the payload that sends for each request. Following that influence, the 0d1n has tamper functions. Yes, we

web application firewalls and more.
Lib Curl
thread pool library
strlcat(), and srtlcpy()
strsec.c
hardening in the makefile c
Hardened binary
full relro
ASLR and canary.
in the video is the DVWA
get cookie-jar
proper plugin for our browser
using lib mongoose,
tool called skipfish
between options around async, multithread and soon.
a fantastic tool that is a school of wisdom is SQLmap of programmer Miroslav Stamparm
can see that explanation in my old presentation.
tool 0d1n
GitHub - CoolerVoid/0d1n: Tool for automating customized attacks against web applications. Fully made in C language with pthreads, it has fast performance.GitHub
Practical Security Automation and Testing: Tools and techniques for automated security scanning and testing in DevSecOpsAmazon.com
Logo
The Web Application Hacker's Handbook: Finding and Exploiting Security FlawsAmazon.com
Logo
Logo
Golden axe game -
Test binary hardening with tool
A resource to limit requests. So to jump this context need to use the argument "--race" to explore race conditions context.
https://en.wikipedia.org/wiki/Golden_Axe
checksec
per time in spider.c file