by Ciro Brandi.
Rule-Based fuzzer is a fuzzer that allows you to identify anomalies on a web application. This technique is implemented by a blackbox fuzzer allowing to identify anomalies of the type: SQLi, XSS, Path traversal and LFI.
Install the packages using the command:
pip install -r requirements.txt
Also you need to install Pyswig: https://www.swi-prolog.org/
You can use the following guide to install it:
https://wwu-pi.github.io/tutorials/lectures/lsp/010_install_swi_prolog.html
The repeater intercepts the desired request, placing the placeholders in the chosen parameters, producing in output a JSON file containing: HTTP request, HTTP response, Placeholder Request.
The repeater is a mitmdump script that intercepts the http requests and places placeholders.
mitmdump -s repeater.py -k -q
Default values:
- url: http://127.0.0.1:18080/wavsep
- output: repeater.json
mitmdump -s repeater.py -k -q --set url=https://127.0.0.1:8443/ --set output=owasp-cmd.json
The intruder sends a payload list to the target application, retrieving its HTTP response. The module takes the repeater's output file as input and performs a sniper attack on each placeholder placed by the repeater. The generated output file is a list of fuzzing sessions. Intruder:
intruder.py --repeater=<repeater_file_name> --output=<name_output_file.json> (--verbose=True)
the Analyzer analyzes the intruder's output file to make observations on the HTTP responses resulting from a sniper attack. Analyzer:
analyzer.py --intruder=<intruder_file_name> --repeater=<repeater_file_name> --analyzer=<analyzer_output_file>
The oracle identifies if in the observations made by the analyzer there is an anomaly in the response. Oracle:
oracle.py --analyzer=<anaylzer_file_path>, --oracle=<oracle_output_file_path> --csv=<oracle_output_file_path>
To use all modules consecutively run:
generic_testing_run.py --url_intercept=<url_intercept> --repeater_file_path=<repeater_file_path> intruder_file_path=<intruder_file_path>, <analyzer_file_path_csv>, <analyzer_file_path_json>,
oracle_file_path=<oracle_file_path>, oracle_file_path_csv=<oracle_file_path_csv>
Example
generic_testing_run.py http://testphp.vulnweb.com results/repeater.json results/intruder.json results/observer.csv results/observer.json
To use generic testing on the testbed run:
testbed.py
Run docker-compose up
the first time and install wordpress.
Then you can run the attacks to reproduce the experiments.
cd vulnenv
docker-compose up
Wavsep and wordpress will be run on the following urls:
To configure the environments:
-
Go to
http://127.0.0.1:8080/wavsep/wavsep-install/install.jsp
and put the following data:- username:
root
- password
pass
- host:
wavsep-db
For Wordpress, put
- username:
python testbed.py
python main_repeater.py --url j
```