2

I’ve heard a lot about fuzzing website parameters with programs like OWASP-zap but what is the importance of it? A simple active scan finds vulnerabilities in a website such as XSS. So why do we need the fuzzer?

If someone could shed some light on this that would be amazing! I’m new to website hacking.

schroeder
  • 123,438
  • 55
  • 284
  • 319
CoderPE
  • 126
  • 1
  • 9

2 Answers2

3

Fuzzing is not a technique to find known vulnerabilities. That is the job of an active security scanner like you said. Instead, a fuzzer is designed to assist with finding new bugs that are not yet known. They do this by constructing random or pseudorandom input and feeding it to the target. Good fuzzers will be format-aware and will feed it input that appears slightly corrupt, but is otherwise valid. When this is done for long enough, new and unknown bugs will often start to surface. These bugs can be analyzed and sometimes even turned into a working exploit.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Thanks! I have a small question though, I see that fuzzing (or at least the OWASP Zap fizzed) is often used with injection to try and determine which payloads successfully bypass an applications validation on user input. You said that it is the job of an active scanner to do this, so is this not the proper use of it? – CoderPE Nov 14 '18 at 04:39
  • That is one use of it, yes. – forest Nov 14 '18 at 04:40
  • Okay. So it can be used for bypassing filters and stuff as well as trying to find bugs that can be developed into security exploits. If you don’t mind could you please show me an example of where fuzzing might be used to find a bug, as all the examples of it I have seen are just input validation bypass. Thank you! – CoderPE Nov 14 '18 at 04:43
  • @CoderPE I am most familiar with fuzzing of binary applications. For that, there's a bunch of examples from [AFL](http://lcamtuf.coredump.cx/afl/#bugs). Fuzzing web applications should be similar (though slower and more simple). – forest Nov 14 '18 at 04:47
  • Alright thanks! I really appreciate your answer. I’m sure I’ll be able to use the fuzzer more efficiently now that I know it can be used for other things then just injection! – CoderPE Nov 14 '18 at 04:50
1

I see the answer has already been chosen here and perhaps this is something you are already aware of but for what it's worth I'll give my two cents for a simple use case of fuzzing.

Fuzzing has a variety of applications, some already explained in the above-posted answers and comments, though I have used it for other cases as well. An easy example of fuzzing, though some might view this as scanning, would be taking a wordlist of potential directories or file names and searching them on a domain you are allowed to investigate. Tools like dirb and gobuster, among others, might be worth taking a look at if you are curious how this type of fuzzing can be done.

gobuster example command below to enumerate test.com:

gobuster -u https://test.com -w ~/wordlists/shortlist.txt

In short, the bugs discovered in this case with these tools are often directories and files that are publicly viewable (though should perhaps not be). This enumeration can lead to discovery of interesting things to aid an attacker in further exploitation.

jonroethke
  • 1,006
  • 2
  • 7
  • 21