Fuzzing APIs

  • Fuzzing is simply sending diffrent data in a number of requets and seeing what comes back
  • It can be very useful to discover content
  • There are may diffrent fuzzing tools ;
    • Burp suite
    • wfuzz
    • ffuf
    • gobuster
    • dirbuster
    • list goes on…

https://tryhackme.com/room/bookstoreoc —–> fuzzing endponit with this app from thm which is free room.

  • http://10.10.70.164:5000/api –> api documentation

Image

Fuzz With Burp

  • http://10.10.70.164:5000/api/v2/resources/books?published=1993 send this request to burp repeater and burp intruder

Image

Image

Firstly fuzz v2 field with manuellay, may be there is available v1 field ?

Image

Image

  • fuzz books section with the burp intruder , wordlist is common.txt /usr/share/wordlists/dirb/common.txt

Image

  • fuzz published field

when we take care status code and response length , show value is given 500 error, this say us value is real but parameter is not compatible

Image

lastly we can fuzz paramter

Image

Image

  • we find /api/v1/resources/books?show=%2ebash_history lfi vulnerable end point with fuzzing

Image

Fuzz with wfuzz

wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt "http://10.10.118.77/api/v1/resources/books?show=FUZZ"

to filter response code we can use –sc=200

wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --sc=200 "http://10.10.118.77/api/v1/resources/books?show=FUZZ"

Image