https://jhuk.tech/categories/burp-suite/Recent content in Burp Suite on Jhuk Tech NewsHugoen-USTue, 25 Jul 2023 20:08:52 +0000https://jhuk.tech/2023/07/25/fuzzing-forms-based-authentication-reveals-working-username-and-password/Tue, 25 Jul 2023 20:08:52 +0000https://jhuk.tech/2023/07/25/fuzzing-forms-based-authentication-reveals-working-username-and-password/<p>In this lab exploring HTML forms-based authentication, I use Burp Suite to fuzz a username of interest to discover a valid password combination. &ldquo;Fuzzing&rdquo; in the context of web application security means any automated attempt to inject a large number variables into any field that accepts user input. The tester then monitors the application for unexpected behavior or unusual results that may indicate the presence of a vulnerability. Possibilities for fuzzing input ranges from common usernames, passwords, URLs, sensitive data patterns, executable shell commands and SQLi payloads. <a href="https://github.com/danielmiessler/SecLists" target="_blank" rel="noreferrer">SecLists is a well-known repository</a> that maintains wordlists for each of these mentioned categories. The choice of which wordlist to use depends on the context of the input field and what category of vulnerability the tester suspects may exist within the application.</p>