CI Labs is a preconfigured Ubuntu vm that can be accessed via RDP. It has CI Fuzz preinstalled and includes a test project that allows you to try out the workflow of fuzzing with CI Fuzz without installing anything on your device.
Contact us to get access to CI Lab. We will send you an IP address and credentials you can use to log in: https://page.code-intelligence.com/ci-labs/get-access.
The only requirement is that you need to have an RDP client installed.
On Linux, you can for example use rdesktop :
rdesktop -rclipboard:PRIMARY -f 18.104.22.168
Open a shell and navigate to the source code directory of the test project ~/test_code/WebGoat.
WebGoat is a deliberately insecure java web application. The workflow and techniques described here can be used to fuzz any supported web application. Currently, Spring/Spring Boot and swagger/openAPI web applications are supported.
Besides web applications, CI-Fuzz can be used to fuzz C/C++ and java applications. To learn more about our java fuzzing capabilities, you can have a look at our Java fuzzer Jazzer, which we released as open source.
Before you can fuzz the application, you need to build it. This is necessary because CI Fuzz will create randomized requests to the application and analyze its behavior.
mvn clean install -DskipTests
Open the WebGoat folder in Visual Studio Code. It comes preinstalled with our CI Fuzz extension.
Open the plugin by clicking the Code Intelligence Logo in the left sidebar and create a fuzzing project. Select "web application fuzzing" and click "submit".
The initialization should only take a few seconds. After this, you can add a web service.
Click "Add Web Service", set a name, select "org.owasp" from the list of packages to be instrumented.
Copy the shown command line snippet and go back to the terminal.
Start the WebGoat jar located at webgoat-server/target/webgoat-server-*.jar like normal, but additionally pass the -javagent snippet you copied to java:
java -javaagent:$HOME/bin/fuzzing_agent_deploy.jar=instrumentation_includes="org.owasp.**",service_name=projects/webgoat-bb8aeaea/web_services/WebGoat -jar webgoat-server/target/webgoat-server-8.0.0-SNAPSHOT.jar
Copying the command above will not work, because the randomly generated project name will be different for you.
Now the java classes will be instrumented at load time and WebGoat will be started.
Wait a moment until you see the output:
INFO: Got status 'OK' from fuzzing server
Go back to VSCode. Under "Web Services Ready For Fuzzing" a new green entry should be shown. Click on it. Click "Analyze Web Service". Select "Spring/Spring-Boot" as backend technology. Click Analyze. Click "Analyze Web Service".
Select "Add Fuzz Test" in the side column. Select "Java Agent Fuzz Test"
Enter a name for the fuzz test and set a check mark at the web service you want to fuzz in the list of available web services. Set a checkmark at "Project Policy" and "Target Policy". This will make sure that uninteresting responses of the application, like 4xx errors, will be ignored.
Click save and run the fuzz test using the yellow button at the top right. While the fuzz test is running, you can watch live how it covers more and more lines of code and discovers findings.
Improving the coverage
In the first run, we found a few vulnerabilities, but the fast majority of them stays hidden behind the user login. Since the fuzzer can not just bypass the authentication, the parts of the application that are protected behind a login are unreachable for now. In the following, you will learn how to change this by teaching the fuzzer how to authenticate properly.
First open the WebGoat login page in your browser by typing
and register a new user.
After the new user was created successfully, logout again.
Now we will log in again using the newly create user and capture the login request using the Firefox developer tools. Press F12 to open it and switch to the "Network" tab. This will show you all requests and responses send while you interact with the website.
Scroll to the top. The first request send is named "login". Right-click on it and copy the request headers.
Now switch back to VS Code and open the file myfuzztest_initial_requests.http. It is located in the folder .code-intelligence/fuzz_targets.
The file is empty by default. Paste the login request header you just copied.
Now the fuzzer know in which way a login works for this specific web application. The only missing details are the credentials used for login. These are not in the request header, but in the request payload.
To see the payload, click the request, open the "Requests" tab and let Firefox display the raw request.
Add this payload to the myfuzztest_initial_requests.http. The payload is separated from the header by a single empty line.
Using the preinstalled rest client plugin, you can send HTTP requests right from VS Code. To do so, just click the "Send request" button.
The welcome.mvc in the response indicates that the login was successful.
When we start the fuzz test again, the fuzzer will send the initial request first, which leads to the login-protected application parts being fuzzable.
In comparison with the first run without authentication (bottom), the second run achieves a much higher coverage and discovers a higher number of findings. For example, the SQL Injections were not discovered before.