0d1n web fuzzing

Test web inputs to find anomalies

The story tale

Hello folks, today we are going into a story tale. Yes, my old tool with the proposal to test web application resources through web fuzzing. This tool 0d1n was written eight years ago when I worked in CONVISO application security. Web fuzzing is a technique used by security researchers to identify a website's or web application's vulnerabilities. It involves sending numerous random, unexpected, and potentially malicious inputs to a web application to make it crash or behave suddenly. This can help security researchers identify areas of the application that are susceptible to attack and can be used to develop more effective security measures.

To perform web fuzzing, a security researcher typically uses a specialized tool that can automatically generate and send large numbers of random inputs to the web application. The tool will then monitor the application's behaviour, looking for any signs of abnormal behaviour or vulnerabilities. If a vulnerability is found, the researcher can try to exploit it to gain access to sensitive information or disrupt the normal operation of the application.

Overall, web fuzzing is a valuable tool for security researchers, as it can help identify vulnerabilities in web applications before malicious actors exploit them.

Following the past eight years, many plugins for OWASP's ZAP proxy and Burp suite surged. But when we work by consulting and Pentest and app sec professional, we always see new challenges. So always, we can search to improve tools, insert more sharpness to our swords, and improve weapons to strong attacks to kill monsters in our course, such as bypassing web application firewalls and more.

The 0d1n is written in C language and uses external libraries like Lib Curl and thread pool library. Another fantastic point uses BSD's libc string functions strlcat(), and srtlcpy() in strsec.c to improve security. This point with additional orthodox hardening in the makefile context. More details in the following:

Tool features

Brute force login and passwords in auth forms
Directory disclosure ( use PATH list to the brute, and find HTTP status code )
Test to find SQL Injection and XSS vulnerabilities
Test to find SSRF
Test to find Command injection
Options to load ANTI-CSRF token each request
Options to use random proxy per request
Options to use random useragent per request
Option for keep alive test (slowloris test)
Options to use techniques to bypass WAF
Option to load cookie-jar
Option to load full request from an external file
Option to up HTTPd to view report
Option to explore race conditions
Hardened binary with full relro, ASLR and canary.

Proof of concept

The following video is an example of how to use 0d1n to make a custom attack to get the csrf-token and load the cookie-jar file to send each attack following a custom request without any error in the application. The application in the video is the DVWA, an excellent application to study and test attacks.

So to get cookie-jar from the authenticated application. First, we need to browse in the authenticated system. The second step uses a proper plugin for our browser; yes, we need to export cookies to a text file, aka "cookie-jar". So with a cookie jar, we can pass that input to the argument "--cookie_jar". So this way, we can load our cookies in the current session and attack authenticated system.

Performance

So 0d1n is blazing fast, but we need to understand its full context; first, 0d1n writes each request and response in the log file. Yes, for investigation at the end of the analysis, this phase is essential based on the tool Burp suite approach of manual view. In the second step, using lib mongoose, the 0d1n creates an HTTPd service to read the result of logs and load each external JSON with data tables. So it is faster than async functions, following tools in golang or Rust, maybe yes, but 0d1n uses resources to break all potential because it can cause a denial of service in context if it sends a lot of requests same time, in the future we guess is a good idea an argument to custom wait time per request. This fact reminds me of a tool called skipfish. The power in async sometimes makes tested servers fall. It's crazy but amazing, so remember 0d1n uses thread pool resource. Look here for an interesting comparison and benchmark between options around async, multithread and soon.

So to ignore the limit in the context of the request, users can use the argument "--race", which is a way to try to explore race conditions context. All right, but remember this can put applications at risk of denial of service.

Tampering payloads to bypass WAF

During years of study around web attacks, a fantastic tool that is a school of wisdom is SQLmap of programmer Miroslav Stamparm. So reading line by line of python code, anyone can learn very cool tricks, specially tamper tricks, to obfuscate the payload that sends for each request. Following that influence, the 0d1n has tamper functions. Yes, we can see that explanation in my old presentation.

Attack examples

Brute force to find the directory

$ 0d1n --host http://127.0.0.1/^ --payloads /opt/0d1n/payloads/dir_brute.txt --threads 500 --timeout 3 --log bartsimpsom4 --save_response

Note: We can change the value of threads. If we have a good machine, we can try 800, 1200 each device has a different context.

For SQL injection attack

$ 0d1n --host 'http://site.com/view/1^/product/^/' --payloads /opt/0d1n/payloads/sqli_list.txt --find_string_list /opt/0d1n/payloads/sqli_str2find_list.txt --log log1337 --tamper randcase --threads 800 --timeout 3 --save_response\n"

Note: Tamper is a resource to try to bypass the web application firewall

To brute force auth system

0d1n --host 'http://site.com/auth.py' --post 'user=admin&password=^' --payloads /opt/0d1n/payloads/wordlist.txt --log log007 --threads 500 --timeout 3\n"

Note: if we have a csrf token, we can use argv to get this token for each request and brute.

Search SQLi in hard mode in login system with csrf token:

0d1n  --host "http://127.0.0.1/vulnerabilities/sqli/index.php?id=^" --payloads /opt/0d1n/payloads/sqli.txt --find_string_list /opt/0d1n/payloads/find_responses.txt --token_name user_token --log logtest_fibonaci49 --cookie_jar /home/user_name/cookies.txt --save_response --tamper randcase --threads 100

Note: Load the cookies jar from the browser and save in cookies.txt to load.

Project Overview on cloc

cooler@gentoo:~/codes$ cloc 0d1n/
     937 text files.
     532 unique files.                                          
     451 files ignored.

-------------------------------------------------------------------------------
Language                     files          blank        comment           code
-------------------------------------------------------------------------------
JavaScript                     361           9951          15621          52178
C                               51           4986           4967          26642
C/C++ Header                    30           1184           2858           4295
CSS                             10            434            369           2142
HTML                             7             59              0           1616
TeX                              2             52              4            206
Markdown                         3             81              0            137
make                             4             36              9            130
Bourne Shell                     2              0              0              4
-------------------------------------------------------------------------------
SUM:                           487          16835          23846          91213
-------------------------------------------------------------------------------