Operator On The Wire
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / APPLICATION LAYER / HTTP / SCANNING

Parameter Fuzzing

Attacker manipulates or iterates parameter values (e.g., id=1,2,3) to discover unauthorized data access, hidden functionality, or injection points


Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph


Red Flags

  • /user?id=
  • /account/
  • /order/
  • /download?file=
  • /invoice/

If you see id=1 → id=2 → id=3 → id=4 = enumeration.


Filters

# Generic param fuzzing filter (correlate timing through HTTP stream)
http.request.uri matches "=[0-9]+"

# File download enumeration
http.request.uri matches "(file|download|path|doc|invoice)="

# Login bruteforce
http.request.uri contains "login"

# Upload abuse
http.request.method == "POST" and http.content_type contains "multipart"

# SQLi attempts
http.request.uri matches "('|%27|--|%23|%3D|%3B)"

# LFI attempts
http.request.uri contains "../"
http.request.uri matches "\\.\\./"

# Target requests with param
http.request.uri contains "PARAM_NAME="

# Isolate the source (look for sequential values/enumeration in milliseconds)
http.request.uri contains "PARAM_NAME=" and ip.src == X.X.X.X

# Numeric parameter enumeration (Regex)
http.request.uri matches "PARAM_NAME=[0-9]+"