Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WFUZZ dropping query string parameters when fuzzing a single parameter on a GET request #348

Open
1 task done
ZackInMA opened this issue Feb 17, 2023 · 0 comments
Open
1 task done

WFUZZ dropping query string parameters when fuzzing a single parameter on a GET request #348

ZackInMA opened this issue Feb 17, 2023 · 0 comments

Comments

@ZackInMA
Copy link

ZackInMA commented Feb 17, 2023
edited
Loading

Issue template

WFUZZ drops query string parameters sometimes when multiple parameters are used but only 1 is fuzzed. May depend on the payload (a guess?).

  • I've read the docs for Wfuzz

Please describe your local environment:
Kali Linux, up to date and latest build as of 2/17/2023

Wfuzz version: Output of wfuzz --version
3.1.0

Python version: Output of python --version
3.11.1

OS: Kali Lunix

What is the current behavior?

When using WFUZZ with a query string that contains multiple query string parameters, but when fuzzing only one of those parameters, sometimes (not all requests) WFUZZ will drop the other parameters from the GET request.

What is the expected or desired behavior?

WFUZZ should not be altering the query string outside of the fuzzed parameter

Please provide steps to reproduce, including exact wfuzz command executed and output:

Configure a proxy to observe WFUZZ's behavior and each of the requests (BurpSuite for example). Send the following command:

wfuzz -c -w /usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt --sc 200,500 -X GET -H "User-Agent: Googlebot-News" -u 'http://www.site.com/patha/pathb?PreviewKey=FUZZ&Theme=3fc3f82483d14ec485ef92e206116d49&ThemeContextId=00000000-0000-0000-0000-000000000000&ThemeTypeId=0c647246-6735-42f9-875d-c8b991fe739b' -p localhost:8080

Observe the HTTP history in BurpSuite. Observe that some of the requests have the complete query string, for example:

/patha/pathb?PreviewKey=hi%20or%201=1%20--"&Theme=3fc3f82483d14ec485ef92e206116d49&ThemeContextId=00000000-0000-0000-0000-000000000000&ThemeTypeId=0c647246-6735-42f9-875d-c8b991fe739b

...and others do not. Example:

/patha/pathb?PreviewKey=1%20or%20sleep(TIME)

Other relevant information:

Because WFUZZ is dropping the query strings in some instances and not others, the results are not accurate. If there are mandatory values in the query string that are not passed, such as session keys, etc. then the results would not be accurate and the web app would behave entirely differently.

The consequence of this is that the tool would seem to be unusable and untrustworthy in this specific use case.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ZackInMA