24 Sep, 2008 in OWASP AppSec NYC 2008 by Josh

JBroFuzz: Building a Java Fuzzer for the Web - OWASP AppSec NYC 2008

This presentation was by Yiannis Pavlosoglou who is the developer on the OWASP fuzzing project.

Address the challenges of fuzzing, during applicaton layer penetration tests and security assessments.  Designed for fuzzing web applications.  Open-source and free.  Written in Java.  Scriptable.

Fuzzer Workflow

  • Select fuzzers
  • Send requests
  • Collect responses
  • Compare results

Building a fuzzer entails a stable, ease to use interface, a solid fuzzing engine, and unconventional protocol APIs.

Likely Problems:

  • How do you group payloads?
  • How do you customize/iterate through permutations?
  • Cannot use Apache HTTP Commons
  • Cannot use Java HTTP/S Libraries

Addressing Problems:

  • Graphical User Interface
  • Write requests/responses to a file
  • Payloads read from file
  • Payloads grouped into fuzzers
  • Fuzzers grouped into categories
  • Use TCP Sockets for fuzzing
  • Implement POST “Content-Length”
  • Support SSL sockets for fuzzing
  • Support HTTP/1.1 chunked encoding

47 classes spread into 13 packages.  13,123 lines of java code.  Do one thing and do it well!  Tell the user what you are putting on the wire.  Don’t obey HTTP/S.  Trust the JBroFuzz Core to generate payloads.

Roadmap

  • MSI Installer
  • Basic NTLM Authentication
  • Proxy Requests
  • Graphing Tab

E-mail yiannis@owasp.org with questions.

Enjoyed this article? Subscribe to the full RSS Feed

Related Posts

One Response so far | Have Your Say!

  1. Anonymous - Gravatar

    Anonymous  |  October 24th, 2008 at 1:01 pm #

    IMHO Powerfuzzer (powerfuzzer.sourceforge.net) is much simpler to use and effective.

Leave a Feedback

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>