PROXY FUZZING

How to build a HTTP based server for proxy fuzzing with Python

The article is about building a simple black box fuzzer for testing web applications that utilise some sort of proxy on the backend that you cannot directly inject. The proxy interacts with the server under your control via the URL you specified.

This tool can also be used for the Server Side Request Forgery (SSRF) fuzzing.

The example application has 3 API’s:

Set a webhook — Handle POST requests with the URL that the server should request on a certain event sendTransaction:# REQUEST
POST /webhook HTTP/1.1

{'URL':'https://DOMAIN_COLLAB/fuzz', 'event': 'sendTransaction'}

# RESPONSE
HTTP/1.1 200 OK

{'webhook_view' : 'https://afine.com/webhook_UUID'}

Event trigger — Handle a POST request with an IBAN and the amount of money to send, which will trigger the sendTranscation webhook:# REQUEST
POST /transfer HTTP/1.1

{'IBAN': 'PL22105048955204088011563697', 'amount': 1000}

# RESPONSE
HTTP/1.1 200 OKWebhook response — Handle a GET request with the webhook_UUID that stores the server responses from a server under url specified in the first request:# REQUEST
GET /webhook_UUID HTTP/1.1# RESPONSE
HTTP/1.1 200 OK

<RESPONSE FROM https://DOMAIN_COLLAB/fuzz>

A client initiates a flow by sending a URL to the server. Upon receiving the URL, the webhook is set on the backend. The server will request the specified URL when the user sends a transaction. Then the response is stored under webhook_UUID.

Considering the above API, we have SSRF by design. We can specify where the proxy server will send the requests, and we can observe responses.