Scenario 3 – Custom header fuzzing

In this scenario, we have an application running on PHP – custom_header.php. We request the following page from the server:

The server responds with an Unauthorized Access! message and two unknown headers – X-isAdmin: false and X-User: Joe (as we can see in the following screenshot):

 The message from the server is as follows:

By observing these two custom headers, we can assume that the server is processing these headers as well. The first header, that is, X-isAdmin, looks like a custom header accepting Boolean values: true or false. The other header, X-User, maybe accepts the user's first name, so the value is in a string format. Let's use Wfuzz to fuzz through these headers and find out what can we do about it. Let's execute the following command in Wfuzz:

wfuzz -c -z list,true-false -z file,<username_wordlist> -H “X-isAdmin: FUZZ” -H “X-User: FUZ2Z” <url>

The following screenshot shows the output of the preceding command:

We can use the -H flag at multiple locations in the HTTP request. Now that we're getting the same responses from the server, let's filter out the results based on character length (the --hh flag):

Incredible! We found the value for X-isAdmin: true and X-User: Billy. This means that Billy is the admin here. Using this custom header in the HTTP request, let's see whether we can access the page:

As we can see in the following screenshot, we were able to authenticate with the page using custom HTTP headers and following the authentication, the server redirects us to the home.php page:

The home.php page looks as follows:

Now that we have some clarity regarding fuzzing HTTP request headers, we can use similar fuzzing techniques on HTTP POST parameters as well, which we can see in the following screenshot:

In the same way, we can also fuzz the HTTP POST parameters to find APIs supported by the application and the acceptable values supported by those API parameters.

Performing fuzz testing on web application attack vectors can provide us with more insights into web application penetration testing. It's always a good practice to log each request and response when the fuzzer finds something interesting. Lastly, fuzz testing is quite effective if elaborative fuzzing data is provided to the fuzzer. In most cases, fuzz testing can find code execution and other technical vulnerabilities that a generic web application scanner cannot.