CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Fuzzing is a technique where invalid, random or unexpected data is used to produce either unexpected states or gain access to hidden features. There are multiple types of fuzzing:
While observing the behaviour of an application, we can analyse the URL and see for example that it contains certain data, which is related to what the user can see on the website.
This url presents the user with an invoice that is connected to a recent order, which he made at the example store. As IDs normally increment with each new data input, we could imagine that the next invoice might have the ID 43. Even in cases where it isn't that simple, we could find a pattern in comparing the url for two different invoices we received from the same store. We could now execute fuzzing on this website by replacing the ID with random data until we find a match. By incrementing/decrementing the ID we could for example try to access different invoices, which should not work if the invoice ID does not match the invoices I am allowed to access. In this example case, we observed the ID parameter from the websites normal behaviour and tried to alternate it with different data.
Not all applications communicate their parameters to the users interface and therefore are easily readable. In addition it is also possible to look for hidden applications, features, endpoints that are not directly linked on the website.
There are multiple examples of URLs, which can be accessed by non-authorised users. By finding these entry points, an attacker can learn a lot about the structure of an application and potentially access data that should not be publicly available.
To prevent being exploitable by Fuzzing attacks, it is important to secure all endpoints that should not be publicly accessible. Examples for such security measures are the following: