Fuzzing authenticated part of web application

Question

I have a web application I am wanting to fuzz. It consists of a lot of REST webservice gets/puts. I have been considering using Sulley Fuzzing Framework or its successor boofuzz.

Since the jsessionid and/or other authentication cookies change for each time the user logs into the application what is the best way to handle logging into the application and then to grab the necessary cookies.

Can I then add them as s_static parts of my sully/boo session?

Any tips / pointers to documentation would be helpful. Also if there is a better tool to use I would consider it as well.

Thanks

If you need help with particular frameworks it would be nice if you could link them. In general, why don't you just write a script that performs the authentication and feeds the session cookie into your fuzzer? — Arminius, May 09 '17 at 02:36

score 0 · Accepted Answer · answered May 09 '17 at 21:48

0

As you asked for other tools, here's a vote for the (amazing) Python Requests library. It makes writing your own tools way easier than it used to be. Writing automated logins is dead easy.

answered May 09 '17 at 21:48

Iain Duncan

392
2
12

I have been working with requeststoday and it is pretty simple – dnraikes May 09 '17 at 21:59

Fuzzing authenticated part of web application

1 Answers1