Configure Authentication for the Web Application Fuzzer Using HTTP Headers

The Web Application Fuzzer allows you to fuzz spring boot web applications without writing fuzz tests. The fuzzer automatically scans for endpoints. For non-spring boot web applications, alternatively, you can provide an OpenAPI definition.

Using this approach, most of the steps that need to be done to set up fuzzing for a web app can be automated. Despite this automation, you can customize the behavior of the fuzzer manually. This is needed if your web application uses some authentication. For security reasons, in most web apps, the main application logic is only accessible for logged-in users. Obviously, the fuzzer can not "guess" the credentials. So it needs some help here. Fuzzing without configuring the login makes it very unlikely to get valuable results.

To accommodate all the different ways authentication can be implemented, CI Fuzz offers three ways to customize the fuzzer. Which is most appropriate for you depends on your application.

All of them work by modifying files that are located in the .code-intelligence folder in your project. This folder contains the complete fuzzing configuration that needs to be added to your VCS. It is created automatically when the fuzzing project is initialized for the first time with CI-Fuzz.

1. Login by Initial Request

Adding login requests to `<project_dir>/.code-intelligence/fuzz_targets/<target_name>_initial_requests.http`.

The initial requests will be sent before the fuzzer starts, and any cookies set during the initial requests will be used for fuzzing.

POST /WebGoat/login HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://localhost:8080
Connection: keep-alive
Referer: http://localhost:8080/WebGoat/login


2. Set a Constant Authorization Header

Setting constant headers in `<project_dir>/.code-intelligence/fuzz_targets/<target_name>_headers.http`.

The headers defined in this file will be set for every request the fuzzer sends. Example:

Authorization: Basic YWRtaW46YWRtaW4=

3. Dynamic Header Generation Using a Shell Script

A shell script at `<project_dir>/.code-intelligence/fuzz_targets/<target_name>` that generates constant headers.


token=$(curl -s -X POST "http://localhost:8080/api/login" -H "Content-Type: application/json" -d "{ \"username\": \"admin\", \"password\": \"admin\"}" | jq .Authorization | tr -d '"')
echo "Authorization: $token"

The docker container that runs your fuzz test needs to have all the command line tools that you use in this script installed. To use curl and jq, you can set 

run_container: cifuzz/java
in your project.yaml file.

If your authentication depends on a chain of requests and specific information of past requests need to be considered you could check out the article Parse HTTP Responses where parsed values of the response can be reused in the next request.