top of page
  • Writer's pictureotw

Web App Hacking: Fuzzing Web Apps to Find Bugs with BurpSuite

Updated: Dec 28, 2022

Welcome back, my aspiring cyberwarriors!

In previous tutorials here on Hackers-Arise, we have used the BurpSuite for a number of purposes to test, evaluate and hack web applications. BurpSuite is among that set of tools that every hacker/pentester/bug bounty hunter should be familiar with!

In this tutorial, we will be using the BurpSuite to fuzz the web application for vulnerabilities. Fuzzing is the process of sending random or pseudo-random data into an application with the intent of crashing the application and thereby identifying vulnerabilities. If we can crash an application with some random input, we can then trace the cause of the crash and possibly use it to exploit the application. So for instance, if we send data input that is too long for the application to handle and it crashes, this may indicate that a buffer overflow is possible.

In this tutorial, we will use the BurpSuite to send specially crafted inputs into a web application in an attempt to discover SQL injection and XXE vulnerabilities. This is an excellent technique for finding bug bounty vulnerabilities!

Step #1: Fire Up Kali and OWASP-BWA

The first step, of course, is fire up your Kali and OWASP-BWA.

Now, open your browser and click on the Mutillidae II application. This should open the application like that below.

Step #2: Open BurpSuite

Next, start your BurpSuite in Kali.

In your browser open, OWASP2013->Injection (SQL)->SQLi-Bypass Authentication ->Login.

This will open a screen similar to that below.

Now, with the Intercept ON (and your browser proxy enabled) in the proxy in the BurpSuite, enter any random username and password. I used "test' and "complexpassword". The proxy will catch or intercept the request as seen below.

Right click and select Send to Intruder

Now, click on the Intruder tab at the top of the page. This opens the Intruder showing 4 tabs, Target, Positions, Payloads and Options. Select Positions. The Intruder will highlight several potential payload positions. Click on the Clear button to the right-hand side. Now highlight the username field and click Add.

Next click on the Payloads. Here will will need to add a payload or list of fuzzing strings. When fuzzing, we have several choices for input strings. We could send millions of random or pseudo-random inputs which might take hours or days or we can send specially crafted inputs looking for specific type of vulnerability. Here we are specifically searching for SQLi vulnerabilities, so let's use a smaller and specific list of SQLi inputs.

We can go the terminal in Kali and search for fuzzing string wordlists by entering;

kali > locate wordlists | grep fuzz

This will locate all the wordlists and filter for the word "fuzz". There are many but let's use one specifically for SQL such as usr/share/wfuzz/wordlists/Injections/SQL.txt. This list contains many strings that can potentially trigger a SQL injection. Of course, you can use any of these wordlists to find vulnerabilities but this one specifically looks for SQL injection flaws.

On the payload screen, click Load and enter the path to the SQL.txt file.

Finally, click Start Attack and BurpSuite will begin try each of the strings in the username or any selected field.

To find any potential vulnerabilities to SQL Injection within this form in this application, look for anomalies in the Status and Size of the Responses. Nearly all of these responses have a length of 50773 but several are larger. The larger responses are a potential indication of a successful SQL injection.

Step #3: Fuzzing for XXE Vulnerabilities

We can do the same type of fuzzing to test for XXE vulnerabilities, but with a list of inputs specific for XML. For more on XXE vulnerabilities in web applications, click here.

To test for XXE vulnerabilities, navigate to the XML validator in Mutillidae.

With the Window open like below and the Intercept ON in the BurpSuite proxy, enter any input into the XML window and click Validate XML.

The proxy with "catch" the request similar to below.

Now, right click in the proxy and select "Send to Intruder". Open the Intruder and clear the Positions similar to what you did above. Now, highlight your input (in my case, I simply typed "222222") and click Add.

Next, click on the Payloads tab and Load the XXE fuzzing file from wfuzz wordlist directory (other XXE fuzzing strings are available at /Seclists/Fuzzing/XXE-Fuzzing.txt) .

Note that the list contains strings that are XML related.

Finally, click the "Start Attack" button.

Your Burpsuite will attempt to send these XML strings to the validator. Like the SQL injection fuzzing above, look for variations in error status and length to find anomalies that will indicate a potential vulnerability.


Fuzzing can be powerful technique for finding hidden vulnerabilities in web applications. The BurpSuite enables us to fuzz nearly any form in a web application and send specially crafted or pseudo-random inputs to the form. By then examining the results for anomalies in size and status we can locate potential vulnerabilities. The BurpSuite can be used to fuzz each and every input in a form to find vulnerabilities.

Recent Posts

See All

5 commentaires

02 janv. 2023

i know of a very good hacker that can help you with any type of hacking, either phones or computers. My husband was so smooth at hiding his infidelity so I had no proof for months, I was referred to some hacker and decided to give him a try.. the result was incredible because all my cheating husband’s text messages, emails , facebook and even phone conversations was wired directly to my cellphone. Computerguru helped me put a round-the-clock monitoring on him and I got concrete evidence of his escapades..if you think your spouse is an expert at hiding his cheating adventure, you can contact them too at HENRYCLARKETHICALHACKER@GMAIL.COM on whatsapp12622367526.


Hire a professional cell Phone Hacker who has the skills that can grant you remotely access to your spouse cell phone and grant access to cheating spouse cell phone information on their cell phone. He can also use he skills to spy on other people’s cell phones device. It is also known as a cell phone spy who are capable to provide you all you require to infiltrate any type of smartphone and iPhone. I was able to got access to partner iPhone, the job was prefect to the extended he didn’t knowing anything about it, was so prefect you can conatct him via kelvinethicalhacker @ gmail. com. reach to him to help spy on your cheating spouse...


You can hire Henryclarkethicalhacker for all your hacking needs which include clearing of criminal and driving records, credit hack fix, college grade changes, cloning phones, spying on anyone, hacking all social media accounts, etc,. Reach him via Henryclarkethicalhacker @ gmail com,

Text him,, Whatsapp,,+1 8 1 3 4 2 1 1 3 2 6.




Hacking someone's phone remotely is a private service it aint going to be available on internet that easily, A Real Hacker will not ask you any money in Advance, And if he can track mobile Remotely, like without touching the target phone is he able to do it. I came across a service where the guy literally teaches you how to do it. Provides you video proofs and even send you video tutorial step by step explaining how you can actually get into any phone whether Android or iOS . I'll share the WhatsApp number with you guys +91-8657-399-601. Harish Negi. If it had helped me it can help you too

Whatsapp Details

+1(616) 274-3599


Harish Negi

bottom of page