Filter Sandboxing and Fuzzing: A Web App Testing Technique

My NYMISSA presentation on web app static code analysis and testing techniques received good reviews. The aspect of the presentation that received the most comments from the other web app pen test professions in attendance was on my technique for sandboxing and fuzzing the filter to test it independently. Based on this feedback I thought it might make for a good blog post for other professionals.

In a very high level description here’s how it works. Locate the GET/POST filters and the routines used within them. Copy and paste them to script that will run a variable through the filter and show the output. Open burp and run a manual request of the custom script with the web app filter. Send the request to Intruder in burp and then fuzz the parm. See what comes out the other side.

It’s a good technique to use when one has access to the source because it can help one figure out how to craft one’s injection code. From this technique you will find out what characters “normally” get through the filter by default.

I’ve posted the screen prints on the technique below. Within the page it appears that the steps remain in order. Once you click on the gallery the images seem to randomize. The general steps follow the image numbers from 1-16.

Since my presentation was for a PHP app,  the demo script in slide 6 is one that I use in live testing. The simple PHP script takes a parameter from a get request and then passes it through the web app filter. Feel free to copy and use it but please credit me in reports!

As a bonus, here is a small library of characters and strings to use in combination with this testing technique that can be used in addition to the fuzzdb interesting-metacharacters.txt  file from the demo below.

(Shameless plug: you can also follow me on twitter.)

Demo technique steps: