# Burp Intruder - `Burp Intruder` can be used to fuzz pages, directories, sub-domains, parameters, parameters values, etc. - Alternative to CLI-based fuzzers, like `ffuf`, `dirbuster`, `gobuster`, `wfuzz` - The community version is throttled at a speed of 1 request per second, making it extremely slow compared to CLI-based web fuzzing tools, which can usually read up to 10k requests per second - However, the paid version has unlimited speed, which can rival common web fuzzing tools, in addition to other useful features of `Burp Intruder` making it one of the best web fuzzing and brute-forcing tools - First, start-up `Burp` and visit the target web app with the pre-configured browser - Second, go to Proxy History, locate the associated request, then right-click and Send to Intruder - Third, once in `Burp Intruder` we can manipulate the following components: - Target - Positions: where we place the payload position pointer or, in other words, the point where words from our wordlist will be placed and iterated ![[images/Pasted image 20251112200704.png]] - Payloads: essentially a selected wordlist but can be more exotic - `runtime` is recommended for payload type - Here `/usr/share/seclists/Discovery/Web-Content/common.txt` is selected for the payload configuration ![[images/Pasted image 20251112201023.png]] - Other options: - Payload Processing: fuzzing rules to use over the loaded wordlist ![[images/Pasted image 20251112201032.png]] - Payload Encoding ![[images/Pasted image 20251112201039.png]] - Settings - Once we start the attack, a new window pops up with results where we can filter based on request number, status code, length, etc. ![[images/Pasted image 20251112201525.png]] - We can also view the request and response for that particular iteration - Request ![[images/Pasted image 20251112201622.png]] - Response ![[images/Pasted image 20251112201647.png]] # ZAP Fuzzer - Powerful tool for fuzzing web endpoints, though it is missing some of the features provided by `Burp Intruder` - However, `ZAP Fuzzer` does not throttle like the free version of `Brup Intruder` - First, start-up `zaproxy` and visit the target web app with the pre-configured browser - Second, right click on associated request > Attack > Fuzeer or go to Tools > Fuzz and select the associated request - Third, a new Fuzzer window opens where we need to select a fuzz location ![[images/Pasted image 20251112204946.png]] - Fourth, after selecting a word and pressing Add for the fuzz location, a Payload window opens ![[images/Pasted image 20251112205007.png]]![[images/Pasted image 20251112203151.png]] - We can further modify the payload wordlist with processors such as Bas64 encode/decode, MD5 hash, postfix string, prefix string, SHA-1/256/52 hash, URL encode/decode, script - A Generate Preview feature allows us to see words in the pre and post-processed payload wordlist ![[images/Pasted image 20251112203435.png]] - We can modify other options ![[images/Pasted image 20251112203522.png]] ## Exercise - Visit `http://94.237.48.51:38686/skills` to generate a request with a cookie ![[images/Pasted image 20251112204946.png]] - Use the `top-usernames-shortlist.txt` under `/usr/share/seclists/usernames` and MD5 hash payload processing ![[images/Pasted image 20251112203435.png]] - Sort results by size ![[images/Pasted image 20251112205439.png]]