Successfully reported this slideshow.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Application fuzzing

  1. 1. Application Layer Fuzzing
  2. 2. Attacker’s approach • Fuzzing over HTTP • Injecting faults with various set of payload • Try to raise the exception • Exception throw message back as part of HTTP response • Scanning response for signatures • If signature found, it becomes interesting entry for exploitation
  3. 3. Possible Leaks • Errors can send information about technology stack and weaknesses. In some cases error helps in fingerprinting web and application servers running on target application. • Internal IP addresses and architecture layout for network. • Intranet applications and their setups. • Type of backend database and its connection information. • Internal folders and file system layout for application. • Username and authentication mechanism and disclosures. • Hidden paths and folder which helps in retrieving several other files and internal database information. • Error code and other relevant information which helps in analyzing possible cause for an attacker.
  4. 4. Root cause • Deployment cause – Application runs on technology stack, it involves web server, application servers, plugins and handlers, database server etc. If these components are not configured properly or having inherent vulnerability then it can lead to information disclosure. • Source code cause – If application source code is not having best practices for error or exception handling then it ends up leaking information to end client as part of business logic. This set of information can help in detecting vulnerability or end up sharing internal logic information.
  5. 5. Error handlers Web Server Application Server Source Code Database/Auth/Backend HTTP Request HTTP Response Error Messages
  6. 6. File not found errors • HTTP 404 - not found server id server id
  7. 7. Internal server errors • HTTP 500 error messages: nature of error revealed in error code
  8. 8. PHP error example • Attempting to read a file which does not exist: Internal path disclosed.
  9. 9. Application error message example • Attempting to place an order that already exists: Internal path disclosed.
  10. 10. MySQL error example • Generated from a failed PHP MySQL query: Possible SQL injection point uncovered.
  11. 11. MS-SQL error example • Generated from a failed ASP MS-SQL query: Possible SQL injection point uncovered.
  12. 12. Tools & Conclusion