confidence 2015: fuzz your way into the web server's zoo - andrey plastunov
TRANSCRIPT
![Page 1: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/1.jpg)
Andrey PlastunovDigital Security (dsec.ru)
Fuzz your way into the web server’s zoo
![Page 3: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/3.jpg)
[Agenda]
![Page 4: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/4.jpg)
[The Zoo]
![Page 5: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/5.jpg)
➢ Web proxies
[The Zoo]
![Page 6: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/6.jpg)
➢ Web proxies○ Content-filtering
[The Zoo]
![Page 7: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/7.jpg)
➢ Web proxies○ Content-filtering○ Tunneling
[The Zoo]
![Page 8: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/8.jpg)
➢ Web proxies○ Content-filtering○ Tunneling○ ...
[The Zoo]
![Page 9: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/9.jpg)
➢ Web proxies➢ Embedded systems
[The Zoo]
![Page 10: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/10.jpg)
➢ Web proxies➢ Embedded systems
○ Routers and other network devices
[The Zoo]
![Page 11: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/11.jpg)
➢ Web proxies➢ Embedded systems
○ Routers and other network devices
○ Industrial devices
[The Zoo]
![Page 12: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/12.jpg)
➢ Web proxies➢ Embedded systems
○ Routers and other network devices
○ Industrial devices○ ...
[The Zoo]
![Page 13: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/13.jpg)
➢ Web proxies➢ Embedded systems➢ Non-default modules
in mainstream servers
[The Zoo]
![Page 14: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/14.jpg)
➢ Web proxies➢ Embedded systems➢ Non-default modules
in mainstream servers➢ Other software
[The Zoo]
![Page 15: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/15.jpg)
➢ Web proxies➢ Embedded systems➢ Non-default modules
in mainstream servers➢ Other software------------------------------➔ Clients
[The Zoo]
![Page 16: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/16.jpg)
[The HTTP]
![Page 17: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/17.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1HOST: www.victim.comUser-Agent: Fuzzy browserContent-Type: text/htmlContent-Length: 42
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111
![Page 18: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/18.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nContent-Type: text/html\r\nContent-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n
![Page 19: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/19.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
![Page 20: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/20.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method
![Page 21: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/21.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method
Methods:STANDARD: GET POST HEAD OPTIONS TRACE CONNECT PUT DELETEWEBDAV: PROPFIND PROPPATH MKCOL COPY MOVE LOCK UNLOCK + versioning extensionsCUSTOM: Anything a developer can imagine (e.g. VALIDATE, CURATE, etc.)
![Page 22: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/22.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
![Page 23: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/23.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI
![Page 24: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/24.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI[fuzzable]
![Page 25: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/25.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI[fuzzable]
parameters
![Page 26: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/26.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI[fuzzable]
parameters[fuzzable]
![Page 27: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/27.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI[fuzzable]
parameters[fuzzable]
protocol version
![Page 28: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/28.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1
Method[fuzzable]
URI[fuzzable]
parameters[fuzzable]
protocol version[fuzzable?]
![Page 29: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/29.jpg)
[The HTTP]
POST http://server.name/do/not/touch?my=server HTTP/1.1
URI[fuzzable]
parameters[fuzzable]
protocol version[fuzzable?]
In case of connecting via proxy:
Method[fuzzable]
Server name
![Page 30: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/30.jpg)
[The HTTP]
POST http://server.name/do/not/touch?my=server HTTP/1.1
URI[fuzzable]
parameters[fuzzable]
protocol version[fuzzable?]
In case of connecting via proxy:
Method[fuzzable]
Server name[fuzzable]
![Page 31: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/31.jpg)
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
![Page 32: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/32.jpg)
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
Values
![Page 33: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/33.jpg)
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
ValuesSome google.com examples of complex headers:
Cookie: PREF=ID=d58a20b32d82347c:U=866f4da1ca2cc94c:FF=0:TM=1432555395:LM=1432555397:S=DzXF-knTmsVgJcCF; NID=67=H71Q3BwamddYRlgS5a9N0AZ1UqRAbcOcVORM3AJ3pb7i8WajPH7QDWuWNx5AYUvqBqrysr0QeuqG5QZfjJmEIMLoCSoPF0nA307pAb9GgmmA0Rl8Pg1ls8g4106DEbSz
![Page 34: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/34.jpg)
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
Values[fuzzable]
![Page 35: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/35.jpg)
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
Values[fuzzable]pair(header:value)
![Page 36: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/36.jpg)
[The HTTP]
HOST: www.victim.com User-Agent: Fuzzy browser
Content-Type: text/html Content-Length: 42
Values[fuzzable]pair(header:value)[fuzzable]
![Page 37: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/37.jpg)
[The HTTP]
name=post_example&very_tricky_parameter=hi!
Content-type: application/x-www-form-urlencoded
![Page 38: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/38.jpg)
[The HTTP]
Content-type: application/x-www-form-urlencoded
name=post_example&very_tricky_parameter=hi!
Same as for URL data: [fuzzable]
![Page 39: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/39.jpg)
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-data
![Page 40: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/40.jpg)
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-datadata header
![Page 41: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/41.jpg)
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-datadata header[fuzzable]
![Page 42: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/42.jpg)
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-datadata header[fuzzable]
mime parameter
![Page 43: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/43.jpg)
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-data
mime parameter[fuzzable]
data header[fuzzable]
![Page 44: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/44.jpg)
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content” filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-data
plain text value
data header[fuzzable]
mime parameter[fuzzable]
![Page 45: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/45.jpg)
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content”; filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
[The HTTP]
Content-type: multipart/form-data
plain text value[fuzzable]
data header[fuzzable]
mime parameter[fuzzable]
![Page 46: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/46.jpg)
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content”; filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-data
binary value
plain text value[fuzzable]mime parameter[fuzzable]
data header[fuzzable]
![Page 47: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/47.jpg)
[The HTTP]
---Boundary_valueContent-Disposition: form-data; name=”description”
test---Boundary_valueContent-Disposition: form-data; name=”file_content”; filename=”test.dat”
\xde\xad\xbe\xef
---Boundary_value
Content-type: multipart/form-data
binary value[fuzzable]
plain text value[fuzzable]mime parameter[fuzzable]
data header[fuzzable]
![Page 48: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/48.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nAccept: text/html,application/xml\r\n Content-Type: text/html\r\nCookie: id=olololo;TheAnswer=42Content-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n
![Page 49: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/49.jpg)
[The HTTP]
Delimiters
POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nAccept: text/html,application/xml\r\n Content-Type: text/html\r\nCookie: id=olololo;TheAnswer=42Content-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n
![Page 50: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/50.jpg)
[The HTTP]
POST /do/not/touch?my=server HTTP/1.1\r\nHOST: www.victim.com\r\nUser-Agent: Fuzzy browser\r\nAccept: text/html,application/xml\r\n Content-Type: text/html\r\nCookie: id=olololo;TheAnswer=42Content-Length: 42\r\n\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaa!!!!1111\r\n
Delimiters[fuzzable]
![Page 51: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/51.jpg)
[Fuzzing approaches]
![Page 52: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/52.jpg)
Web Server
Client(Fuzzer)
[Straight fuzzing]
![Page 53: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/53.jpg)
Web Server
Client(Fuzzer)
(FUZZ) HTTP REQUEST
[Straight fuzzing]
![Page 54: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/54.jpg)
Web Server
Client(Fuzzer)
(FUZZ) HTTP REQUEST
HTTP RESPONSE
[Straight fuzzing]
![Page 55: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/55.jpg)
Web Server
(Fuzzer)
Client
[Reverse fuzzing]
![Page 56: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/56.jpg)
Web Server
(Fuzzer)
Client
HTTP REQUEST
[Reverse fuzzing]
![Page 57: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/57.jpg)
Web Server
(Fuzzer)
Client
HTTP REQUEST
(FUZZ) HTTP RESPONSE
[Reverse fuzzing]
![Page 58: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/58.jpg)
Web Server
(Fuzzer)
Client
HTTP REQUEST
(FUZZ) HTTP RESPONSE
[Reverse fuzzing]
Difficulties:➢ There is no possibility to check the
client’s health by directly communicating with it
➢ Additional tweaks needed to re-run the client after each request
![Page 59: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/59.jpg)
Web Server
(Fuzzer)
Client(Fuzzer)
HTTPProxy
[Double fuzzing]
![Page 60: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/60.jpg)
Web Server
(Fuzzer)
Client(Fuzzer)
HTTPProxy
[Double fuzzing]
(FUZZ) HTTP REQUEST
![Page 61: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/61.jpg)
Web Server
(Fuzzer)
Client(Fuzzer)
HTTPProxy
(FUZZ) HTTP REQUEST
[Double fuzzing]
![Page 62: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/62.jpg)
Web Server
(Fuzzer)
Client(Fuzzer)
HTTPProxy
(FUZZ) HTTP REQUEST
[Double fuzzing]
(FUZZ) HTTP RESPONSE
![Page 63: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/63.jpg)
Web Server
(Fuzzer)
Client(Fuzzer)
HTTPProxy
(FUZZ) HTTP REQUEST
[Double fuzzing]
(FUZZ) HTTP RESPONSE
![Page 64: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/64.jpg)
[The detection]
![Page 65: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/65.jpg)
➢ Traffic analysis
[The detection]
![Page 66: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/66.jpg)
➢ Traffic analysis➢ Local process monitoring
[The detection]
![Page 67: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/67.jpg)
➢ Traffic analysis➢ Local process monitoring➢ Some heuristics based on responses from
target
[The detection]
![Page 68: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/68.jpg)
➢ Traffic analysis➢ Local process monitoring➢ Some heuristics based on responses from
target○ Comparing with reference response
[The detection]
![Page 69: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/69.jpg)
p.s. still alpha version :-)
[The wuzzer]
![Page 70: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/70.jpg)
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
![Page 71: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/71.jpg)
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
![Page 72: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/72.jpg)
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
Paid advertisement =)
PyZZUF by @nezlooyhttps://github.com/nezlooy/pyZZUF
![Page 73: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/73.jpg)
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
![Page 74: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/74.jpg)
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
![Page 75: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/75.jpg)
[The wuzzer]
Generator
Queue Transmitter Target
Monitor
1.Task
2.Task
Wuzzer Target
4. Statistic
6. ResultsLog
3.REQ
5. RESP
7. Results
![Page 76: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/76.jpg)
[The wuzzer]
Look for the wuzzer updates at
https://www.github.com/osakaaa
![Page 77: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/77.jpg)
[The examples]
![Page 78: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/78.jpg)
Content-Length: -2➢ An Integer Overflow causes a memory
consumption bug
[The examples]
![Page 79: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/79.jpg)
[The examples]
Content-Length: 601
Crash due to an unhandled exception in strcpy_s
![Page 80: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/80.jpg)
[The examples]
Content-Length: 601
Crash due to an unhandled exception in strcpy_s
![Page 81: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/81.jpg)
Content-Length: -0Integer Overflow causes Stack Buffer Overflow
[The examples]
![Page 82: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/82.jpg)
Authorization: BasicLogin name > 16kbCauses stack buffer overflow (??)
[The examples]
![Page 83: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/83.jpg)
Accept-language: en-US,,,,<1000>,,,,,ru-RUBuffer Overflow (???)
[The examples]
![Page 84: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/84.jpg)
MS15-034:Range: Bytes: 18-18446744073709551615Integer Overflow
[The examples]
![Page 85: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/85.jpg)
CVE:2014-5289: Long URI in POST request :POST /AAAAAAA….<736>...AAAAAStack Buffer Overflow
[The examples]
![Page 86: CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov](https://reader030.vdocument.in/reader030/viewer/2022032618/55b775fbbb61eb660c8b4584/html5/thumbnails/86.jpg)
[The end]