Script http-form-fuzzer

Script types: portrule
Categories: fuzzer, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-form-fuzzer.nse

Script Summary

Performs a simple form fuzzing against forms found on websites. Tries strings and numbers of increasing length and attempts to determine if the fuzzing was successful.

Script Arguments

http-form-fuzzer.minlength

the minimum length of a string that will be used for fuzzing, defaults to 300000

http-form-fuzzer.maxlength

the maximum length of a string that will be used for fuzzing, defaults to 310000

http-form-fuzzer.targets

a table with the targets of fuzzing, for example {{path = /index.html, minlength = 40002}, {path = /foo.html, maxlength = 10000}}. The path parameter is required, if minlength or maxlength is not specified, then the values of http-form-fuzzer.minlength or http-form-fuzzer.maxlength will be used. Defaults to {{path="/"}}

slaxml.debug

See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 <host>

This script attempts to fuzz fields in forms it detects (it fuzzes one field at a time).
In each iteration it first tries to fuzz a field with a string, then with a number.
In the output, actions and paths for which errors were observed are listed, along with
names of fields that were being fuzzed during error occurrence. Length and type
(string/integer) of the input that caused the error are also provided.
We consider an error to be either: a response with status 500 or with an empty body,
a response that contains "server error" or "sql error" strings. ATM anything other than
that is considered not to be an 'error'.
TODO: develop more sophisticated techniques that will let us determine if the fuzzing was
successful (i.e. we got an 'error'). Ideally, an algorithm that will tell us a percentage
difference between responses should be implemented.

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-form-fuzzer:
|   Path: /register.html Action: /validate.php
|     age
|       integer lengths that caused errors:
|         10000, 10001
|     name
|       string lengths that caused errors:
|         40000
|   Path: /form.html Action: /check_form.php
|     fieldfoo
|       integer lengths that caused errors:
|_        1, 2

Requires


Authors:

  • Piotr Olma
  • Gioacchino Mazzurco

License: Same as Nmap--See https://nmap.org/book/man-legal.html