Security Testing Beyond The Edge

How to find vulnerabilities in Bug Bounty Programs at scale

In this tutorial you will learn how to utilise the mighty Fuzzer, part of SecApps Suite, to identify vulnerabilities in many applications and web services simultaneously. In later tutorials you will also learn how to combine the tool with SecApps Scout for more targeted attacks. All of these techniques are essential to succeed in Bug Bounty Hunting or during penetration testing engagement. Let’s get started.

The Only Thing You Need To Know

What makes the Fuzzer special is that it is the only tool that enables to configure complex fuzz-testing scenarios by combining generators and then run these generators with minimal memory and performance footprint over and over again. Not only that, but the fuzz-tests can be saved in your cloud and local storage and even shared publicly with another SecApps service we call Fiddles.

What are generators? Generators are graphical components you can combine in different ways to create loops and permutations. You may already be familiar with the generators from popular programming languages such as Python and JavaScript. The Fuzzer generators are very similar in nature although they do not require writing any code.

Let’s create a simple generator to illustrate how they work. First, open the Fuzzer. Anywhere inside the request structure (we chose a parameter called c for this example) position the cursor and start typing counter. Select the counter generator from the autocomplete dropdown.

Click the generator again. You will notice that it kind of reminds us of a standard for loop in programming. All we need to do is to decide the start index, the stop index and the step for each iteration. In this example we simply want to iterate from 1 to 100 for the purpose of this demonstration.

Ensure that the start index is set to 1 and the stop index is set to 100. Once ready, click outside of the generator to close it or press the Esc key on the keyboard. Use the arrows next to the Play button to preview some of the requests this generator will produce.

Press the Play button to start the Fuzzer. Notice the requests that are sent. They contain a URL parameter named c with the values from 1 to 100. There should be 100 requests in total and while this is cool, this is not all this tool can do.

Click the Fork button to copy the current setup into a new instance of the Fuzzer. We don’t want to start from scratch. Now copy the counter generator by selecting and cutting it from the document (CTRL+X or Command+X depending on your platform). Start typing hash in the place of the counter generator. Select the Hash generator.

Paste the counter generator into the input field. Select any hashing algorithm you like. We will use MD5 for this example. Notice how the requests are now generated with the hash of the humber produced inside the generator.

Similar effect can be normally achieved if you program this from scratch but with the help of the Fuzzer you get it all for free. Not only that, but the Fuzzer will optimise all requests and send them in the most consistent and performant way possible. There is no need to waste time and reinvent the wheel.

Bug Bounty Hunting At Scale

Let’s use the Fuzzer to find bugs across many targets at the same time. We will use a combination of two generators to achieve this effect and we will also configure some of the scheduler options for optimal performance. Let’s get started.

First of all we need a number of targets to test. We will use one of the builtin dictionaries for this purpose. Start from a blank Fuzzer. Remove the URL and start typing dictionary. Select the dictionary generator. Click the generator and then the Edit button.

You will be presented with a window similar to this:

In the input area we can create our own custom dictionary if we want. We don’t need to do this in this instance so let’s select an already available dictionary. Click the Load Common List button. In the search field type bounty to filter the available dictionaries to those which contain this keyword.

Select the second dictionary in the list: data/bugbounty/urls.txt. Click the Load button and then click the Use Loaded List button. You will notice that the contents of the dictionary is now available in the input area that we found previously empty.

At this point we can modify the dictionary whichever way we like but for this example, we will leave it as it is. Click the Use List button. Notice that the dictionary has quite a few entries. This means that we will be sending at least that amount of requests. If we add more generators we will increase the number of requests. We can calculate that number using standard combinatorics.

Now that we have all targets we need to find a bug. In this example we will search for something common across all targets. Let’s say we search for publicly exposed git repositories which were mistakenly deployed in the production applications. We can download these git repositories using other techniques not covered in this tutorial in search for configuration and deployment secrets we can use to compromise the target deployment system.

At the end of the url line start typing list. Select the List generator. Click the generator. In the input field we need to set up the URL paths we want to access. Remember that this list will be combined with the dictionary. With one line in the list and 30K lines in the dictionary that will produce 30K requests. Two lines in the list will produce 60K and so on. In this example, all we need is .git/config.

Notice how all request URLs are now suffixed with .git/config URL.

We are almost done. All is left to do is to configure the scheduler options. This is especially important when we send loads of requests like in this example. Simply put, the scheduler will try to wait for an answer for up-to 30 seconds from any application. This is very standard practice and works well for normal testing but when you are sending 1000s of requests all responses from slow, non-available or firewalled applications can add up to quite a bit of wait time. Let’s make this better.

Click the Options tab. Reduce the timeout time to 3 seconds. Increase the max connections to the maximum available. Keep in mind that this type of scheduling is different from multi-threaded ones used in some other tools. It is much better because the scheduler is considering the total load on each application thus overall the performance is much better than blindly submitting loads of requests which can get dropped for all kinds of reasons.

Optionally, activate the Analyzer. This option will automatically flag bugs discovered by SecApps’ passive vulnerability detection engine. Vulnerabilities such as the one that we are currently looking for in this example are supported so it is useful to use it in this instance. In this example, we will leave this option out of the setup.

Now it is time to start fuzzer. Press the Start button and let it work. As the Fuzzer is doing its job we can navigate the results. This is the beauty of this tool approach, because as the tool is working we can watch the results and work out a strategy on how to analyse them. We need to inspect 30K requests so having early feedback is most welcome.

There are many strategies we can employ and those largely vary based on the task at hand. We can sort the results based on one of the columns, for example, the content type or the length. We can use the built-in filters to filter with some common patterns or create our own custom filter as seen in the screenshot below.

Keep in mind that we are looking for a pretty common bug so we might not be lucky in this instance. Don’t give up. With a bit of practice and a few more trials we can get this technique to perfection and soon or later you will find something as we did many times in the past.

Save your Fuzzer files before, during or after the fuzzing tasks. It doesn’t matter when you decide to do that. You can use your Fuzz configurations as templates for future work. These files can be saved locally or as part of your personal and team drives in SecApps. The team drive is particularly useful if you need to share your work with your colleagues.

Conclusion

In this tutorial we learned about the Fuzzer. We learned how to utilise the generators to create some powerful primitives for fuzz-testing and also did actual bug bounty hunting by combining two types of generators to create a custom tool for research.

I hope you enjoyed the tutorial and now you are looking forward to testing the fuzzer and the rest of the tools from the SecApps Suite. While we have not covered this scenario in this tutorial specifically, you can use the SecApps tools either directly from your browser or via desktop using the Pown toolkit as described by this article. Have a fruitful hunt!