0d1n web fuzzing
Test web inputs to find anomalies
Last updated
Test web inputs to find anomalies
Last updated
Hello folks, today we are going into a story tale. Yes, my old tool with the proposal to test web application resources through web fuzzing. This tool 0d1n was written eight years ago when I worked in CONVISO application security. Web fuzzing is a technique used by security researchers to identify a website's or web application's vulnerabilities. It involves sending numerous random, unexpected, and potentially malicious inputs to a web application to make it crash or behave suddenly. This can help security researchers identify areas of the application that are susceptible to attack and can be used to develop more effective security measures.
To perform web fuzzing, a security researcher typically uses a specialized tool that can automatically generate and send large numbers of random inputs to the web application. The tool will then monitor the application's behaviour, looking for any signs of abnormal behaviour or vulnerabilities. If a vulnerability is found, the researcher can try to exploit it to gain access to sensitive information or disrupt the normal operation of the application.
Overall, web fuzzing is a valuable tool for security researchers, as it can help identify vulnerabilities in web applications before malicious actors exploit them.
Following the past eight years, many plugins for OWASP's ZAP proxy and Burp suite surged. But when we work by consulting and Pentest and app sec professional, we always see new challenges. So always, we can search to improve tools, insert more sharpness to our swords, and improve weapons to strong attacks to kill monsters in our course, such as bypassing web application firewalls and more.
The 0d1n is written in C language and uses external libraries like Lib Curl
and
thread pool
library
. Another fantastic point uses BSD's libc string functions
strlcat(), and srtlcpy()
in strsec.c to improve security. This point with additional orthodox hardening in the makefile context. More details in the following:
Brute force login and passwords in auth forms
Directory disclosure ( use PATH list to the brute, and find HTTP status code )
Test to find SQL Injection and XSS vulnerabilities
Test to find SSRF
Test to find Command injection
Options to load ANTI-CSRF token each request
Options to use random proxy per request
Options to use random useragent per request
Option for keep alive test (slowloris test)
Options to use techniques to bypass WAF
Option to load cookie-jar
Option to load full request from an external file
Option to up HTTPd to view report
Option to explore race conditions
The following video is an example of how to use 0d1n to make a custom attack to get the csrf-token and load the cookie-jar file to send each attack following a custom request without any error in the application. The application in the video is the DVWA, an excellent application to study and test attacks.
So to get cookie-jar from the authenticated application. First, we need to browse in the authenticated system. The second step uses a proper plugin for our browser; yes, we need to export cookies to a text file, aka "cookie-jar". So with a cookie jar, we can pass that input to the argument "--cookie_jar". So this way, we can load our cookies in the current session and attack authenticated system.
So 0d1n is blazing fast, but we need to understand its full context; first, 0d1n writes each request and response in the log file. Yes, for investigation at the end of the analysis, this phase is essential based on the tool Burp suite approach of manual view. In the second step, using lib mongoose, the 0d1n creates an HTTPd service to read the result of logs and load each external JSON with data tables. So it is faster than async functions, following tools in golang or Rust, maybe yes, but 0d1n uses resources to break all potential because it can cause a denial of service in context if it sends a lot of requests same time, in the future we guess is a good idea an argument to custom wait time per request. This fact reminds me of a tool called skipfish. The power in async sometimes makes tested servers fall. It's crazy but amazing, so remember 0d1n uses thread pool resource. Look here for an interesting comparison and benchmark between options around async, multithread and soon.
So to ignore the limit in the context of the request, users can use the argument "--race", which is a way to try to explore race conditions context. All right, but remember this can put applications at risk of denial of service.
During years of study around web attacks, a fantastic tool that is a school of wisdom is SQLmap of programmer Miroslav Stamparm. So reading line by line of python code, anyone can learn very cool tricks, specially tamper tricks, to obfuscate the payload that sends for each request. Following that influence, the 0d1n has tamper functions. Yes, we can see that explanation in my old presentation.
Brute force to find the directory
Note: We can change the value of threads. If we have a good machine, we can try 800, 1200 each device has a different context.
For SQL injection attack
Note: Tamper is a resource to try to bypass the web application firewall
To brute force auth system
Note: if we have a csrf token, we can use argv to get this token for each request and brute.
Search SQLi in hard mode in login system with csrf token:
Note: Load the cookies jar from the browser and save in cookies.txt to load.
Read the docs AND "README.MD", and help menu when we execute the "0d1n" binary.
Do we have any doubt? Please create an issue in this repository. Yes, the same path to suggest a new feature. I will be glad to create a new feature.
Thank you for reading.
Cheers!