BG - Fuzzing Frontiers: Exploring Unknown Unknown Vulnerabilities

the very coveted last speaking spot in the entire conference um so I apologize in advance for my very moody fantastic looking slides that look really great on my MacBook screen and look horrendous in a well-lit room on a projector so I just added the I have like this micro site that I wrote for the talk I just added a link to the slides on there slash you might want to come forward cuz like got a really nice dark mode looking code that's going to be fantastic uh in this well-lit room uh but you can get the slides also uh yourself right there if you want awesome so we're going to talk about fuzzing Frontiers today uh my

guarantee to you is that being that it's the last talk that the ratio of information to time you spend in this room will be the highest of any talk from the whole conference uh and if I don't mate that you can have a sticker uh after the talk and if I do meet that you also can have a sticker after the talk uh so we're going to talk about what fuzzing is uh we're going to talk about what nuclei is does anybody know what nuclei is I thought maybe that's why you like stuck around for the last talk so that's cool um but we'll briefly touch on that and then we'll talk about some changes we made recently uh to what

the fuzzing capabilities of nuclei why I think those are important do a little demo and then we can go have more drinks and and go to the party um so I think uh this is probably the best quote to go along with uh a discussion of fuzzing uh and it's not really surprising that that actually comes from an exse Secretary of Defense uh you know talks about kind of directly what we're we're thinking about when we're either doing offensive or defensive side of security um like dealing with knowns makes a lot of sense there's vulnerabilities we know about uh obviously we want to deal with those there's known unknowns right that's a vulnerability that comes out um and so

we know it exists but maybe it's not fully understood yet or it's not fully mitigated or we don't know where it is in our environment so we're not sure uh if we've mitigated yet or not um but the most dangerous if I'm on the defensive side or maybe the most interesting if I'm on the attacking side are are the unknowns unknowns right like what is what's not known about how this system is functioning um and so that's that's kind of where I wanted to start our our time together uh I'm Brandon o i uh run the community team at project Discovery uh we make tools like nuclei which you're all aware of um and uh a number of other

open source kind of offensive security tools like SubFinder and Katana and actually dozens of others um I spent the last 5 years of my career before I came to project Discovery at gitlab so kind of more on the dev tools side but spent the last year and a half really diving full into offensive security uh with project Discovery and uh so yeah that's what we're going to talk about and then eventually we'll kind of look at those new capabilities I I talked about but I want to kind of establish what I mean by fuzzing uh for those who may not understand uh and so I made these two great circles although it actually is kind of a cool design choice that the

black circle is actually like the whole screen um but fuzzing is a is a testing technique that tries intentionally to use unexpected or random or maybe not random but meaningful but not expected um inputs into a system to try and uncover these kind of unknown sets of vulnerabilities uh I think of it a lot like a toddler kind of like doing pressing every button to see what breaks uh I have four kids at home and like I just think that that analogy really works pretty well for me because um I think some of the largest vulnerabilities in our space are found this way and and definitely if you have a house and you put small children in it

some of the largest vulnerabilities in that house will be found that way um you know the a classic example is heart bed right like that was found through um protocol fuzzing right like fuzzing the TCP stack the the dtls stack uh to see you know what happens if we send to this kind of innocuous uh heartbeat uh endpoint uh you know an overflow a an input that's longer than than it's expecting right and if we're not careful about you know sanitizing inputs and caring about the length of payloads and those kinds of things even in kind of a a nothing query right just a heartbeat query uh you can have this like major flaw that you know impacts

the entire world uh and so there's lots of vulnerability categories where it fuzzing is useful um I think again really almost any vulnerability category could be susceptible or or benefit from some level of fuzzing against it um but I think some of the the the most like interesting and most common are you know those those things that seek to inject you know either code or commands or seek to inject SQL statements uh into user input or unsanitized API in inputs those kinds of things uh and then also again things that are going to try and overflow the buffer or you know send uh an unexpected payload length and then get you know an unexpected output and allow an attacker

to to move laterally um and there's lots and lots of tools out there that focus on fuzzing some focus on you know lowlevel fuzzing uh you know at the the the the compiler level or the command line the command uh and and code level uh there's a lot of tools focused on web fuzzing like fuff is probably one of the most uh popular uh and I'm obviously very very biased but I'm excited to talk about what we've been adding to nuclei open source uh around fuzzing and so again most folks in the in the in the room knew what nuclei is but just briefly there's a really cool Globe there you can just imagine if you can't see it um it's uh

it's a it's a flexible engine that can run uh automated scans against uh a large number of targets and in a large number of protocols so there's lots of protocols it supports it supports file Blas protocols DNS TLS Network protocols but you know the most popular and where the most of the uh kind of uh time is spent is in hgp uh requests uh and all of that is leveraging kind of a yamel based template uh structure and it's all open source right so we have nuclei itself as open source the the engine but then also our Community templates of which there's like over I think eight or N9 thousand now um are where the community can

contribute templates that that do these kinds of things and run you know one of these requests to verify you know is something vulnerable to to a given vulnerability uh and just you know a few months ago I think four months ago we released uh nuclei version 3.2 which really brought a lot of very Advanced fuzzing features and that's what I kind of want to talk about how you can use today um and I think there's kind of three capabilities that we thought about as we're building that out right so what what is critical for if we're fuzzing and in this case you know again let's focus on hgp fuzzing for a second um I think one is you want to be able to

modify or fuzz any or multiple parts of the request right so I'm making a request to the application or to an API I want to be able to be very specific about you know what parts of that request do I want to mess with um um I also want to Target this right so I mean just running any kind of vulnerability scanning can be really noisy and now you're talking about fuzzing vulnerability scanning you're talking about getting real noisy right like if you're going to run some massive word list or you're going to try a whole bunch of different conditions um so you want to be pretty targeted in that and and so you know we really want to like find

like how can we filter the the requests that matter for this particular thing we're looking for uh and then lastly but maybe most most importantly perhaps is like I I have have came up with this concept actually for this talk of augmentation greater being better than automation um a lot of times people think of nuclei and it is this fantastic automation tool um but I think in most cases and most especially in this case it's better to think of it as like an augmentation tool to what you're already doing either as a security engineer or a bug Bounty Hunter you know it it just integrates into the workflow it's not like replacing what you're going to be

doing like I think anyone that's run you know the basic set of nuclei templates against a you know public bug Bounty program you know probably knows that that like we all still have other jobs that's not like just a money printing machine that you would wish it could be um so I think I think it's really best to think about this and so we're going to look at some really simple examples but I'm hoping that I inspire you to really think about what can you do um that's more specialized that's more focused on the targets you have more focused on what you're trying to protect um kind of leveraging this same thing so hopefully I can convince you of that

with a couple demos um but first let's talk about what I mean by the entire request um so this is just a a raw representation of an HTP request um and you know again we we want to be able to fuzz all the parts of this so not just the path or query string which is kind of what you typically think of with fuzzing you also want to be able to fuzz against you know headers right if there's custom headers and apis and or you know again this is where bringing your brain to wait what is this application expecting is going to really help you uh Target this right like what custom headers might be interesting to fuzz or the

cookie itself uh that would be interesting to look at or the body right like if there's requests that's are being made in the body of a request a post request or something like it you know what can we do um to to to play with that and see uh what we what we might be able to find and then that second most important thing or second uh point I said in the in design is you know targeting uh the fuzzing so you know you again you really want to make sure you know you don't want to necessarily alert a wff uh to the fact that you're fuzzing because now you're sending you know a bajillion request to

it which is is the technical term bajillion um you also you you know and that might be important if you're a bug Bounty Hunter right because you might not want to set off alarms but it's also important I think if you're uh a pentester or or red team member because you know you're going to have to expect that attackers are going to be more sophisticated than that and so you want to try to think like how they're going to think and and try to get around the defenses uh the same way a real attacker would um so one of the things we introduced uh in this version is this this concept of precondition uh and so that's you know

going to run before I start fuzzing for a given request like are the preconditions Met uh and this basically again if you know nuclei a lot I could spend a long time on this but it basically is the same technology as our matchers to say hey is this request going to be worth fuzzing uh and before you start you know pounding this endpoint like make sure uh we really want to right so here in this um simple example we can see okay we want to only do it for post methods if the body is greater than zero right like so this is obviously looking at something that has a body uh in the request and so if we're

if we don't have that we don't want to just overload uh our Target with that and and again that can help with this this risk of uh getting banned and then this is going to be the best looking slide uh so this is this is putting all that those those those things together into an entire template and again on that website there's all these examples are there um but we can see the preconditions the same ones we saw before um and then we can see this payload section right so this is what we're going to inject uh as our fuzzing payloads right and they can you can have have multiple ones here injection is actually like the the variable name I'm

going to be using later on uh to do it and here we can see we're trying to you know do some pretty basic kind of SQL injection stuff right like what happens if I send it a semicolon right and then the fuzzing section is where we Define okay where and how are we going to fuzz this request right and so here we can see the part is the body right so again we talked about the different parts that we can do and then this text which is literally impossible for you to read um is about way are we going to fuzz it so here we can see it says type postfix um but the other types since you can't read

them uh are you know prefix postfix replace infix or replace with a Rex so this is like how are we going to do it are we putting at the end of the query or at the end of the body or we replacing the entire body um or we inserting it into the middle um so in this case we're saying postfix like after the body put this this injected thing and then are we replacing one thing at a time or multiple that's this mode and then the the fuzz is the the actually using then that injection variable that I defined there all right so that's great in theory um and we're going to look at an

example again that's going to be kind of hard to read but let's talk about um looking for local file inclusions right so obviously we don't want attackers to get access to our file system uh you know that could be not great they could get access to critical files to environmental variables to move laterally to other systems um and so in this template um you know we can see that we're going to be fuzzing different uh file paths into the query string to see if we can do directory traversal to then you know get access to a local file and then the demo is going to actually be easier to see I hope um interestingly I'm behind

it uh we'll start to we'll wait for it to restart but it it did work um so here I'm at the end I'm going to curl so we can see that I'm running nuclei and we we'll see it in a second I'm going to wait for it to restart here I'm ring running nuclei against the same micro site that we talked about that is going to respond with what looks like a local file so that nuclei uh gets upset about it and and tells us about it um but first we can see I've got the the URL here as my target so you the URL with this query string of file at the end then I'm going to tell nuclei I'm

going to use this local template and I'm throwing this dast flag in there to say go ahead and run fuzzing uh against it and we can see it ran a number of of uh different three different uh variations and on this last one here it had a match and then to show that match I'm just going to curl that same exact uh URL that it found uh with a match and we'll see it Returns what looks like an Etsy password file um and that's why nuclei was a little concerned about it and you know again another the second example I want to show is around you know SQL injections so we looked in that first uh example about how we might be

able to you know inject uh different parts of uh SQL commands uh and this is in our template repo maybe one of the most extensive set of commands because we have a lot of uh possible responses from all the different kinds of uh SQL interpreters out there that it's going to look for when we're running these kind of SQL command injections so again you can't see it great but we're going to we're going to put that into a different query string uh and run those um same SQL special characters including um a uh a semic I don't know why it doesn't it starts in the at the beginning for me and at the end for you it's very

interesting um but here we we'll start over again here so again same same concept of passing uh the URL uh with this query string and then using this the different template which again you can find the example on the website passing the D it's going to run those different kinds of uh injections that we had and then here you can see with a semicolon it found something and so I'm going to go ahead and copy that URL and curl that again to just see what that output was and we can see once we get that that it was a you know looks like a um Rubi on Rails postgress error uh which means I might have the ability to

to to run the farious SQL commands there uh so that's it conceptually and then the the one last thing I want to hit on is you know this this concept of augmented automation um right what we just saw was like super simplified views like what's the quick thing I could do at a bsides at 615 to show you what it looks like but I think in applying this to the real world that last key of augmented automation really comes in and so we were passing nuclei in those two example is just a URL which is okay that's great I could have curled it and did curl it just as easily um but the the input that nuclei can take is also a

list but more importantly with this latest version can take things from it can start from like your open API spec or Swagger spec and use that as its base for what am I going to fuzz against right or take the output from other project Discovery uh open source twos like uh tools like htpx or proxify or Katana and take that as my input right and then I understand like what are all the the query parameters that I that I I was able to find or even better output from burp Suite so if I'm clicking around and doing some of that manual exploration but then want to fuzz against all of the things that I found

while I was doing it I can just take the output from burp Suite put it right into nuclei and fuzz against it um so again I think that's where the real power is going to come when folks are able to do that again you can see lots of examples of this on our repository uh but I think doing you know using these kind of tools to augment what you're already doing either in penetration testing or in defending uh is where this really becomes powerful so great like I said you can uh go check out fuzzbuzz dovel app um it's not actually vulnerable at least to my knowledge because it's on ver sale um but it responds with some vulnerable

queries and walks you through kind of the three the two examples that we saw uh in the presentation and it also has links to these slides uh to our documentation on fuzzing to a Blog that our engineering team wrote uh when we released it and also to our Discord server if you have any questions afterwards uh so yeah and I think we have a couple couple minutes for questions if anyone knows thanks so much w [Applause]