DZONERZY

A bit 'bout fuzzing

October 13, 2016 Daniele

JSON this stranger

Today JSON is the most used method to serialize objects and/or properties in order to exchange them between applications, in fact all the biggest companies today use it, companies such as Facebook, Google, Twitter and many more make uses of rest API servers. Rest API servers are JSON/XML based endpoint servers used to provide additional functionalities to user experience.

Why we should care?

As already said we should care about serialize methods such as JSON because they are used almost everywhere and find a vulnerability on a JSON endpoints could lead to serious problem such as:

  • Authorization Bypass
  • XSS
  • SQLInjection
  • Code Execution
  • Much more...

Today during an internal VA i faced a webapp based on JSON so instead of proceding with manual review i thought it would be nice to make this process automatically with the ability to provide a randomly generated JSON value (still valid).

What about radamsa

Radamsa is a dumb and general purpose fuzzer as stated from develeopers:

Radamsa is a test case generator for robustness testing, a.k.a. a fuzzer. It is typically used to test how well a program can withstand malformed and potentially malicious inputs. It works by reading sample files of valid data and generating interestringly different outputs from them. The main selling points of radamsa are that it has already found a slew of bugs in programs that actually matter, it is easily scriptable and easy to get up and running.

anyway radamsa know nothing about original binary structure, so it will perform changes such as byte-swapping , byte-flip, permutation and much more.. . In order to make it fit to our needs we should craft a wrapper for radamsa so we can fuzz only specific a value.

200 lines of Python to rule 'em all

With about 200 lines of python code I've made a wrapper around radamsa, it's able to generate valid JSON objects without modify the original structure* you can find my project on GitHub here. This tool is commandline powered, so integration with other tools such as BurpSuite is easier, below a screenshoots of the generated testcase.

Image description

Burp integration and automatic fuzzing

Within the nex blog post i'll show you how to integrate this script on BurpSuite in order to perform automatic fuzzing!.

The End

As always if you have any suggestion, please write below! I hope you enjoyed this small write-up.

#dzonerzy