Focused JSON fuzzing with BurpSuite and PyJFuzz - JSON vulnerabilities to the next level
October 20, 2016
What is PyJFuzz
In the previous post i wrote about PyJFuzz a project of mine focused on JSON fuzzing, it was developed entirely in Python based on radamsa general-purpose fuzzer. As I promised in this post I will talk about real-life fuzzing using PyJFuzz and Burp Suite.
PyJFuzz is modular, easy-to-use, easy-to-extend and easy-to-integrate JSON fuzzer, using it you will be able to fuzz almost everything JSON based with a small effort.
Burp Suite a love story
As a pentester you should know about Burp Suite, but if you don't, let me explain it to you. Brup Suite is HTTP and HTTPS proxy that allows you to intercept and modify real-time requestes and responses. Burp Suite it's entirly written in Java and was developed by Portswigger, it comes bundled with a lot of useful tools such as:
And much more...
A nice feature of Burp Suite is given by the Extender it allows to extend Burp functionality using both Python and Java, another interesting feature is given by the Intruder it allows to reapeat the same request many times changing only some parameters, for example this is used when we need to bruteforce sessions or cookies or in order to guess admin password, in order to accomplish our objective we'll use both features.
Setup the environment
In order to make PyJFuzz work we need to install some dependencies such as:
Below the needed steps to install them correctly.
Radamsa's installation it's pretty trivial and can be done with a single line
git clone https://github.com/aoh/radamsa && cd radamsa && make && sudo make install
Once done radamsa should be installed.
Jython is a wrapper between Python and Java , is used by Burp Suite in order to load extension writte in Python. You can download the standalone Jar from here , once downloaded put the jar path inside Burp Extender > Options > Python Environment .
In order to install PyJFuzz you should just clone the project and install it using this commands
git clone https://github.com/mseclab/PyJFuzz.git && cd PyJFuzz && python setup.py install
As per Radamsa you just have to clone and import Burp-PyJFuzz, you can download it using
When everything is ready you can import your module on Burp Suite, so go to Extender > Extension and select Add, a window should popup, there select Extension Type => Python , insert the path to Burp-PyJFuzz and click Next to load extension, if everything was ok you should see a new tab called PyJFuzz.
Fuzzing in real-life
I wanted to make a poc about using Burp-PyJFuzz so i make a vulnerable page using JSON parameters and i'm gonna fuzz it using PyJFuzz, "How-to use Burp" is not in this post's scope so i'll not talk about it and i assume you already know the basics.
Once we've identified our request we'll send it the Intruder in order to select the payload position, we need to modify the payload position in order to fit just the JSON object like following
After setting the payload post we need to instruct Burp Suite to generate all the test-case using our plugin, so go to Intruder > Payloads on set Payload Type => Extension generated , then click on generators and select PyJFuzz JSON Fuzzer like following
Again on Intruder > Payloads at the bottom uncheck URL-encode these characters since we're fuzzing post request, when done go to the PyJFuzz tab, since we know that my vulnerable application strictly parse JSON set the Fuzz Factor to 2 and use all techniques (on by default)
We're ready to start, so on the menu on top click Intruder > Start Attack , a new window will popup showing all the fuzzed requestes, after some minutes of fuzzing I noticed something strange a request was reporting a different response lenght (myabe something goes wrong)!?
So looking ad the payload used by PyJFuzz a noticed it was a test for Remote Command Execution