Discovering Injection Vulnerabilities

Before you can exploit an injection vulnerability you will need to know where to fuzz and what to fuzz with. The art of fuzzing is knowing the right payload to send in the right requests with the right tools. The right payload can be guessed or narrowed down based on reconnaissance efforts. The right requests often are those that include user input, but there it can also be worth fuzzing headers and the URL path of other requests.

The right tools depend on the fuzzing strategy that is deployed. Start by casting a wide net across an entire API and then narrow in the focus of your attack. In this module, we will use Postman to fuzz wide across the entire API collection, and then we will use Burp Suite along with Wfuzz to fuzz deep into individual requests. Fuzzing is all about requesting the unexpected. When reviewing API documentation, if the API is expecting a certain type of input (number, string, boolean value) send:

• A very large number

• A very large string

• A negative number

• A string (instead of a number or boolean value)

• Random characters

• Boolean values

• Meta characters

By sending over this input we are testing the limits of the target's input validation. If a certain type of input causes a verbose error or causes a delayed response then you could be on the trail of an injection vulnerability.