The fuzzer needs to start with some example requests, so it can learn how your application works. We’ll collect those examples using a tool caled Fiddler.
First, install Fiddler. Fiddler intercepts the requests our browser makes to the target application and allows us to save them in a file format understood by the fuzzer.
Once you’ve installed Fiddler, you should be able to intercept request made by your browser. Try navigating to the application you’re testing in your browser, while running fiddler in the background. You should see a bunch of requests that your browser makes while loading the page.
Filtering the results
The primary challenge when using fiddler to intercept requests is filtering out noise. Every request your browser makes will show up in fiddler – even if it’s for pages in other tabs, random static resources, and API calls we don’t care about.
If you don’t have other tabs open or the number of requests showing up in Fiddler is pretty low, you can skip this step.
The specifics of the filtering you will need to do may vary from application to application, but there are some general changes you can make in order to simplify things.
- Configure the
Hostsfield in the filters tab to only include the host you are testing. Usually this will just be
localhost:80. You may have to change the port number.
- Search for content types like
application/jsonusing fiddlers search feature.
Selecting requests to save
The fuzzer only cares about “interesting” requests. These are requests that:
Do something, like post a review or create an account
Return something, like a list of users or a form used to log in.
If you’re following along while testing with the OWASP juice-shop, I’d recommend saving the add user, login, get cart, add to cart, and post review functions. Each example you provide should cover a unique behavior – there’s no need to have two examples that both successfully add an item to the cart.
When you find a request to save, right click on it and select
Save -> Request -> Entire Request.... Save it with a name that describes what the request is actually doing.
Repeat this process to capture all of the interesting requests in the subsystem you are testing, or for the whole application.
Importing requests into the fuzzer
Navigate the the “Add Endpoint” tab in the web view, then click the “Bulk Upload” link to access the upload form.
Select the requests you want to upload (you can select multiple at once). Leave the “File Format” set to “Fiddler Plain-Text”.
After submitting the form you will be redirected to a list of all of the uploaded endpoints.
Adding a dictionary
To improve the performance of the fuzzer, you can optionally upload a dictionary of values that are known to commonly cause errors in web applications. For testing, I’d recommend this example list. From the Add Dictionary tab, give the dictionary any name and select the downloaded file.