Are there any answers to such web server behavior?

precious

Well-known member
Apr 22, 2024
732
452
12,051
I frequently use tools like ffuf to illustrate fuzzing to my students.

Using the following command, for instance:

bash
┌──(kali㉿localhost)-[~]└─$ffuf -w wordlist.txt -u http://mydomaintarget.org/FUZZ

Files like backup.sql, graphql.txt, config.json, and other possibly sensitive files may be discovered in this way.

To confirm their presence, we employ:
┌──(kali㉿localhost)-[~]└─$curl -I http://mydomaintarget.org/backup.sql on mydomaintarget.org

The server replies with an HTTP 200 status if the file is present. When we try to download the file, though: backup.sql using

bash
┌──(kali㉿localhost)-[~]└─$curl -o http://mydomaintarget.org/backup.sql on mydomaintarget.org

The output is a JavaScript obfuscated code rather than the anticipated content.
Are there any explainations to such behavior?
 
I'm looking forward to learning as well, but you didn't explain what fuzzing is :)
I appreciate you bringing that up! I'd be pleased to describe fuzzing. Fuzzing is a security testing method that involves inserting/inputting unexpected or random data (referred to as "fuzz") into a computer program in order to find software flaws. The goal is to observe how the program responds, including whether it crashes, exhibits strange behavior, or reveals exploitable flaws.

When testing a web application, for instance, a fuzzer may insert distorted data into form fields to test the application's ability to handle odd data, possibly revealing faults or security holes. It is an essential component of security assessments and penetration testing.
 
  • Like
Reactions: Trevor Chandler
I appreciate you bringing that up! I'd be pleased to describe fuzzing. Fuzzing is a security testing method that involves inserting/inputting unexpected or random data (referred to as "fuzz") into a computer program in order to find software flaws. The goal is to observe how the program responds, including whether it crashes, exhibits strange behavior, or reveals exploitable flaws.

When testing a web application, for instance, a fuzzer may insert distorted data into form fields to test the application's ability to handle odd data, possibly revealing faults or security holes. It is an essential component of security assessments and penetration testing.
Thank you for that explanation. Now I can say that I'm smarter! Prior to your explanation, I was a little fuzzy about fuzzing!!!
 
what exactly are you trying to find out with the issue
The server returns an HTTP 200 status(it has the file), but I'm attempting to figure out why the expected file content (such as backup.sql) isn't being served directly.

Expectation : I expect to see the raw file content (such as the SQL dump for backup.sql) when I use curl -o to retrieve the file.

Reqlity: The content is not being returned by the server; instead, JavaScript-obfuscated code is.

Am curious about such behavior.
 
  • Like
Reactions: Trevor Chandler
so an example that may get a response would be
Fuzz Host-header,match HTTP 200 responses. ffuf -w hosts.txt -u https://example.org/ -H "Host: FUZZ" -mc 200

as for the raw the default is false so double check your settings
-raw Do not encode URI (default: false)
Thanks for the explanation! I'll try fuzzing the Host header as suggested and ensure the -raw setting is checked for proper encoding. Appreciate the help!