Nmap Development mailing list archives

Re: [NSE] http-form-fuzzer script

From: Paulino Calderon <paulino () calderonpale com>
Date: Sun, 10 Jun 2012 23:35:13 -0600

On 06/10/2012 05:11 PM, Peter O wrote:

Hi all,

this script attempts to fuzz fields in forms it detects (it fuzzes one
field at a time). In each iteration it first tries to fuzz a field
with a string, then with a number. In the output, actions and paths
for which errors were observed are listed, along with names of fields
that were being fuzzed during error occurrence. Length and type
(string/integer) of the input that caused the error are also provided.
We consider an error to be either: a response with status 500 or with
an empty body, a response that contains "server error" or "sql error"
strings. ATM anything other than that is considered not to be an
'error'.
There is room for improvement, one idea would be to develop more
sophisticated techniques that will let us determine if the fuzzing was
successful (i.e. we got an 'error'). Ideally, an algorithm that will
tell us a percentage difference between responses should be
implemented.


- Peter


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

I noticed that you are transforming the field names to lowercase whenextracting the forms. Aren't we generating incorrect field names becauseof it? Form names are case sensitive to web applications. Am I missingsomething?


+  -- first find regular inputs
+  for f in string.gmatch(form, '<%s*[Ii][Nn][Pp][Uu][Tt].->') do
+    input_type = string.match(f, '[Tt][Yy][Pp][Ee]="(.-)"')
+    input_name = string.match(f, '[Nn][Aa][Mm][Ee]="(.-)"')
+    local next_field_index = #fields+1
+    if input_name then
+      fields[next_field_index] = {}
+      fields[next_field_index]["name"] = string.lower(input_name)
+      if input_type then
+        fields[next_field_index]["type"] = string.lower(input_type)
+      end
+    end
+  end
+
+  -- now search for textareas
+  for f in string.gmatch(form, '<%s*[Tt][Ee][Xx][Tt][Aa][Rr][Ee][Aa].->') do
+    input_name = string.match(f, '[Nn][Aa][Mm][Ee]="(.-)"')
+    local next_field_index = #fields+1
+    if input_name then
+      fields[next_field_index] = {}
+      fields[next_field_index]["name"] = string.lower(input_name)
+      fields[next_field_index]["type"] = "textarea"
+    end
+  end
+  parsed["fields"] = fields




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] http-form-fuzzer script Peter O (Jun 10)
- Re: [NSE] http-form-fuzzer script Paulino Calderon (Jun 10)
  - Re: [NSE] http-form-fuzzer script Peter O (Jun 11)