Smart Fuzzing — Finding bugs like no one else. By Gilson Oliveira

Hi, everyone!

I decided to post bug bounty resources on Medium and today I will talk about fuzzing and my approach to this topic while searching for vulnerabilities.

First, fuzzing is one of the best ways of finding something that no one else does. I know, it seems to be a lie, because everyone is fuzzing everywhere, but I wanna prove to you that I’m not kidding by sharing some of my findings.

You will see that most of them are simple bugs, which anyone could find, but, because they don’t fuzz smartly, most of them miss ridiculous bugs.

The first step is to find more subdomains than other people. There is a lot of ways of improving the finding of subdomains, which could be by using API keys, looking inside JS files, doing word permutations, using more tools to aggregate all found subdomains in one file, etc.

Everyone knows this already, so there is nothing new in this approach, so the first to search will find the bug, as many other things in bug bounty’s world.

Let me tell a quick story: I was searching for vulnerabilities in a program that I’m playing for a long time and had no idea how to find more vulnerabilities because it’s a public program and everyone is running a lot of automation on this. So an idea came in my mind: “What if I try to brute force subdomains with FFuF, but not as everyone does?”.

I’ve started to look for the list of subdomains that I’ve already had for a long time, searching for patterns and ways of brute force for more of them.

Here is what I’ve done:

ffuf -u https://FUZZword.redacted.com -w SecLists/raft-large-word-lowercase.txt -c -v -mc all -t 350

Let me break down what I’m doing here:

The “word” after the “FUZZ” is commonly used in almost all subdomains of this particular target.I’ve chosen SecLists’s “raft-large-words-lowercase” because it has a good amount of commonly used words, which is perfect for finding subdomains, combined with the “word” that I’ve mentioned before.I’ve also done the other way: “wordFUZZ” as there are some domains with this pattern in my previous list.You can combine this with other words that matches a pattern in the subdomains list, and use “-”, “.”, and even numbers or letters, like “1FUZZ”, “01-FUZZ”, “aa-FUZZ”, “FUZZ-it”, etc.It’s important to use the “-mc all” because we don’t care about errors, we just want to know if there is a response.Sometimes you will need to use “-fs” to filter the size of the responses as it can be a false-positive and mess with the output.

Well, after doing this, I was able to find 12 new subdomains, which I never saw before, apparently there are no entries for them in any online resources.

I know that we can do word permutation to do something similar, but honestly, this approach was the only one that guided me to find those new subdomains.

After finding the new subdomains I quickly started to search for vulnerabilities. Just by automating, I’ve found: a debug page which exposes valid AWS credentials, a SQL Injection in a password reset page, two Reflected XSS in URL parameters, an improper authorization in an API with gave me PII information of customers, and surprisingly, a “/status” page which has load balancers that can be edited without any kind of authentication/authorization. This last one could have been found by anyone, so it proves that no one else has seen this particular subdomain.

All of these vulnerabilities are found in just one day!

Soon I’ll share more fuzzing techniques which I use to find bugs.

That’s it for today!

Follow me on twitter! @gilsgil_

Thanks!