Metasploit HTTP fuzzer

This is a tool that I developed because I thought it was kind of missing on the metasploit framework. The main purpose of this tool is to help testing a web app for different problems using a custom requests. I think this is needed because scanners often the miss simple vulnerabilities because of the fact that they rely on a specific signature to identify them. Although they are really helpful to identify vulnerabilities on large web apps, almost all the times will miss basic vulnerabilities like SQL injections or XSS just because they did not test a parameter or because they are looking for a specific response code that in a lot of cases will never be returned by the web site. My opinion is that manual and semi-automated testing is the best approach to identify web app vulns. This is where this tool might be helpful.

The types of of iterations that you can use are:

1 NUMERIC Fuzzing
2 STRING Fuzzing
3 CUSTOM Fuzzing. Define POSITIONS and advanced option CHARS
4 File (Provide a File to use)
5 RANDOM Characters e.g. �\!"#$%&/()='
6 SQL injection (will use Msf::Config.install_root/data/wordlists/sql_injections.txt)
7 Long strings eg. A x 10000

Things that you might want to try while using this tool:
- Use methods GET or POST
- Configure a COOKIE and fuzz
- Add custom HEADERS and fuzz
- Review log file created at the end of each fuzzing session
- Create your own wordlist file and provide it to the fuzzer using TYPE 4 option
Some ideas of custom files: XSS, SQL Queries, Folders or directories, common files,
transversal, passwords, etc.
- Use advanced options to only show responses with specific CODE (e.g. 500)
- Use advanced options to stop fuzzing when a phrase is found in the response
Phrase example: "[SQLServer]"

Module Options

msf > use auxiliary/fuzzers/http/http_fuzz
msf auxiliary(http_fuzz) > show options



Basic configuration

msf > use auxiliary/fuzzers/http/http_fuzz
msf auxiliary(http_fuzz) > show options


msf > use auxiliary/fuzzers/http/http_fuzz
msf auxiliary(http_fuzz) > set RHOST TARGET_IP
RHOST => TARGET_IP
msf auxiliary(http_fuzz) > set PATH /news/news.cfm?ID={X}3869{X}
PATH => /news/news.cfm?ID=3869
msf auxiliary(http_fuzz) > set VHOST TARGET.com
VHOST => TARGET.com
msf auxiliary(http_fuzz) > set TYPE 1
TYPE => 1
msf auxiliary(http_fuzz) > set START 1
START => 1
msf auxiliary(http_fuzz) > set STOP 200
STOP => 200
msf auxiliary(http_fuzz) > run

[*] Fuzzing...
[*] Start number: 1
[*] Stop Number: 200
[*] Iterations 200
[*] No Headers provided
[*] No BODY was provided as a part of the request
[*] No Cookies were provided as a part of the request
[*] Running fuzzer against https//TARGET_IP/news/news.cfm?ID={X}3869{X}
[*] | ID | CODE | LENGTH | RESP TIME | TEST VALUE

[*] | 1 | 301 | 172 | 0.137653884 | 1
[*] | 2 | 301 | 172 | 0.132698855 | 2
[*] | 3 | 301 | 172 | 0.149321481 | 3
[*] | 4 | 301 | 172 | 0.140961011 | 4
[*] | 5 | 301 | 172 | 0.143869671 | 5

... and so on

[*] Log file was created: /opt/metasploit3/msf3/data/fuzz_log/all_req_resp.xml
[*] Auxiliary module execution completed



Download http-fuzz.rb from here and include it into the following metasploit directory: /msf3/modules/auxiliary/fuzzers/http/

Also, download from the same link the sample list of sql injections into the folder /msf3/data/wordlists/ to enable option 6 of the fuzzer.

Things that I know are missing:
- Implement multiple fuzzing parameters
- Threads
- Need to implement follow redirects OPTION (302 response)
- Need to implement NTLM auth to test apps as valid user
- Auxiliary tool to read and search inside log

Other great tools that can be used for the similar purposes are:
- Burp Suite
- CAT (I really recommend this one)
- Webscarab
etc

See post on proxys for further reference: HTTP web proxies

I hope this helps someone. Please send me comments if something is broken or not working. I will be glad to help :)

c4an