Possibility of Fuzzing Every Part of a Requst even JSON and XML

projectdiscovery / nuclei

Fast and customizable vulnerability scanner based on simple YAML based DSL.

https://docs.projectdiscovery.io/tools/nuclei

MIT License

20.09k stars 2.46k forks source link

Possibility of Fuzzing Every Part of a Requst even JSON and XML #5129

Closed exploit-io closed 4 months ago

exploit-io commented 5 months ago

Hello, I am working on a Penetration Testing Automation and creating my own Fuzzing Templates (-dast Templates). It is Unclear how to fuzz Http Headers, and body of a JSON or XML Request. as an Example I want to Fuzz the Following Request:

[GET or WHATEVER] /abc?param=FUZZ HTTP/1.1
Header1: Fuzz
Header2: Fuzz
.
.
.

{"id":"FUZZ", "ANYTHING": "FUZZ"}

or an Example For XML:

[POST or WHATEVER] /abc?param=FUZZ HTTP/1.1
Header1: Fuzz
Header2: Fuzz
.
.
.

<object>FUZZ</object>

Can You give me an Example Template for this?

exploit-io commented 4 months ago

I solved this issue by myself ...

geeknik commented 4 months ago

Care to share the solution with the rest of us? We're all learning. 👍🏻

tarunKoyalwar commented 4 months ago

@geeknik @exploit-io , we have integration tests for every part in fuzzing and full setup to reproduce / try it out so that's a good place to start https://github.com/projectdiscovery/nuclei/blob/dev/integration_tests/fuzz/fuzz-body-json-sqli.yaml

start fuzz playground

$ make fuzzplayground
# ./fuzzplayground

In another shell explore and run

example fuzzing templates

integration_tests/fuzz/*

input/target file for fuzzing (proxify yaml )

integration_tests/fuzz/testData

For nested json / xml etc you need to use . notation ex: user.email

exploit-io commented 4 months ago

@geeknik This is the Solution

id: eio-test-sqli

info:
  name: Time Based SQLi
  author: exploitio

variables:
  # If Changed, Check the DSL Matcher
  time: 2

http:
  - pre-condition:
      - type: dsl
        condition: or
        dsl:
          - 'method == "GET"'
          - 'method == "POST"'
          - 'method == "DELETE"'
          - 'method == "PUT"'
          - 'method == "PATCH"'

    payloads:
      # Escape Initial Statements
      injection:
        - "'; select sleep({{time}})-- "
        - "[whatever]"

    fuzzing:
      - part: query
        type: postfix
        mode: single
        fuzz:
          - "{{injection}}"

      - part: body
        type: postfix
        mode: single
        fuzz:
          - "{{injection}}"

      - part: cookie
        type: postfix
        mode: single
        fuzz:
          - "{{injection}}" 

    stop-at-first-match: true
    matchers:
      - type: dsl
        name: Time
        dsl:
          - "duration>=2"

exploit-io commented 4 months ago

@tarunKoyalwar Thanks for your support

geeknik commented 4 months ago

@geeknik This is the Solution

Looks awesome, glad you got it working. 👍🏻

Giova200 commented 3 months ago

hi, i wanted to ask, i see tha tu can fuzz the body, but how can u give the body at first?