Max Kerr

Max Kerr

Developer.

Aperio Basics: Collecting Examples

Back to index

The fuzzer needs to start with some example requests, so it can learn how your application works. We’ll collect those examples using a tool caled Fiddler.

First, install Fiddler. Fiddler intercepts the requests our browser makes to the target application and allows us to save them in a file format understood by the fuzzer.

Testing Fiddler

Once you’ve installed Fiddler, you should be able to intercept request made by your browser. Try navigating to the application you’re testing in your browser, while running fiddler in the background. You should see a bunch of requests that your browser makes while loading the page.

Fiddler side by side with juice-shop

Filtering the results

The primary challenge when using fiddler to intercept requests is filtering out noise. Every request your browser makes will show up in fiddler – even if it’s for pages in other tabs, random static resources, and API calls we don’t care about.

If you don’t have other tabs open or the number of requests showing up in Fiddler is pretty low, you can skip this step.

The specifics of the filtering you will need to do may vary from application to application, but there are some general changes you can make in order to simplify things.

  1. Configure the Hosts field in the filters tab to only include the host you are testing. Usually this will just be localhost:80. You may have to change the port number.
  2. Search for content types like application/json using fiddlers search feature.

Selecting requests to save

The fuzzer only cares about “interesting” requests. These are requests that:

  1. Do something, like post a review or create an account

    or

  2. Return something, like a list of users or a form used to log in.

If you’re following along while testing with the OWASP juice-shop, I’d recommend saving the add user, login, get cart, add to cart, and post review functions. Each example you provide should cover a unique behavior – there’s no need to have two examples that both successfully add an item to the cart.

Saving requests

When you find a request to save, right click on it and select Save -> Request -> Entire Request.... Save it with a name that describes what the request is actually doing.

Repeat this process to capture all of the interesting requests in the subsystem you are testing, or for the whole application.

Importing requests into the fuzzer

Navigate the the “Add Endpoint” tab in the web view, then click the “Bulk Upload” link to access the upload form.

Select the requests you want to upload (you can select multiple at once). Leave the “File Format” set to “Fiddler Plain-Text”.

After submitting the form you will be redirected to a list of all of the uploaded endpoints.

Adding a dictionary

To improve the performance of the fuzzer, you can optionally upload a dictionary of values that are known to commonly cause errors in web applications. For testing, I’d recommend this example list. From the Add Dictionary tab, give the dictionary any name and select the downloaded file.

Updated: