PROXY FUZZING

How to build a HTTP based server for proxy fuzzing with Python

INTRODUCTION

The article is about building a simple black box fuzzer for testing web applications that utilise some sort of proxy on the backend that you cannot directly inject. The proxy interacts with the server under your control via the URL you specified.

This tool can also be used for the Server Side Request Forgery (SSRF) fuzzing.

SCENARIO

The example application has 3 API’s:

• Set a webhook — Handle POST requests with the URL that the server should request on a certain event sendTransaction:

# REQUEST
POST /webhook HTTP/1.1

{'URL':'https://DOMAIN_COLLAB/fuzz', 'event': 'sendTransaction'}

# RESPONSE
HTTP/1.1 200 OK

{'webhook_view' : 'https://afine.com/webhook_UUID'}

• Event trigger — Handle a POST request with an IBAN and the amount of money to send, which will trigger the sendTranscation webhook:

# REQUEST
POST /transfer HTTP/1.1

{'IBAN': 'PL22105048955204088011563697', 'amount': 1000}

# RESPONSE
HTTP/1.1 200 OK

• Webhook response — Handle a GET request with the webhook_UUID that stores the server responses from a server under url specified in the first request: