Parse HTTP Response Values

How to parse HTTP response values and reuse the values as query parameters of the next HTTP request during fuzzing?

Sometimes to reach a specific target application state specific HTTP request chains are necessary. This could be the case for example for a customized authentication.  It may happen that some HTTP response data need be parsed and is expected in the next request as a query parameter. If the query parameter is for example generated by a hash function, it will be very hard for the fuzzer to guess the parameter value. Thus, the fuzzer will have problems to pass the parameter check.  

As a solution to this problem we can use a CI Fuzz feature to search with a regular expression for the parameter value in the response and reuse the search result as the query parameter of the next request.

The feature can be enabled by adding a HTTP Header Cookie to the .http seed file of the fuzzing test:

Jazzer-Internal-Param-From-Previous-Response-Match: <parameter>=<golang-regex>

where <parameter> is replaced by the expected query parameter name of the next request and <golang-regex> is replaced by a regular expression (compatible with golang) that specifies the search pattern. We recommend to test your regular expression with an example application response on regex101.com

Hint: It is important that the regular expression is only capturing one group.

This feature can be used during authentication and during fuzz testing depending on the need . To use it during authentication you need add the Header Cookie in the initial request file e.g. <fuzz_name>_initial_requests.http. The following shows an example initial request seed.

POST /login-page1 HTTP/1.1

Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Jazzer-Internal-Param-From-Previous-Response-Match: parameterID=(?<=parameterID" value=")(.*)(?=")

username=demo1234&password=demo1234


GET /WebGoat/login-page2 HTTP/1.1

Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

The initial request seed contains two HTTP requests. The first request will begin with the login and parse  the response for a parameterID value. The second request will continue the login. The parsed parameter value of the first response will be automatically added to the second request as query parameter:

=>  GET /WebGoat/login-page2?parameterID=<parsed_value> HTTP/1.1

The usage of the for fuzzing the next request with a parsed query parameter value work similar to the authentication. It is just necessary to specify at least two http requests in the fuzzing seed. The subsequent request of Jazzer-Internal-Param-From-Previous-Response-Match request will automatically set the query parameter value and in addition will fuzz all other HTTP request parameters.