Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File http-form-fuzzer

Script types: portrule
Categories: fuzzer, intrusive
Download: http://nmap.org/svn/scripts/http-form-fuzzer.nse

User Summary

Performs a simple form fuzzing against forms found on websites. Tries strings and numbers of increasing length and attempts to determine if the fuzzing was successful.

Script Arguments

http-form-fuzzer.minlength

the minimum length of a string that will be used for fuzzing, defaults to 300000

http-form-fuzzer.maxlength

the maximum length of a string that will be used for fuzzing, defaults to 310000

http-form-fuzzer.targets

a table with the targets of fuzzing, for example {{path = /index.html, minlength = 40002}, {path = /foo.html, maxlength = 10000}}. The path parameter is required, if minlength or maxlength is not specified, then the values of http-form-fuzzer.minlength or http-form-fuzzer.maxlength will be used. Defaults to {{path="/"}}

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

unittest.run

See the documentation for the unittest library.

Example Usage

nmap --script http-form-fuzzer -p 80 <host>

This script attempts to fuzz fields in forms it detects (it fuzzes one field at a time).
In each iteration it first tries to fuzz a field with a string, then with a number.
In the output, actions and paths for which errors were observed are listed, along with
names of fields that were being fuzzed during error occurrence. Length and type
(string/integer) of the input that caused the error are also provided.
We consider an error to be either: a response with status 500 or with an empty body,
a response that contains "server error" or "sql error" strings. ATM anything other than
that is considered not to be an 'error'.
TODO: develop more sophisticated techniques that will let us determine if the fuzzing was
successful (i.e. we got an 'error'). Ideally, an algorithm that will tell us a percentage
difference between responses should be implemented.

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-form-fuzzer:
|   Path: /register.html Action: /validate.php
|     age
|       integer lengths that caused errors:
|         10000, 10001
|     name
|       string lengths that caused errors:
|         40000
|   Path: /form.html Action: /check_form.php
|     fieldfoo
|       integer lengths that caused errors:
|_        1, 2

Requires


Author: Piotr Olma

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]