Web Admin Blog Real Web Admins. Real World Experience.

JBroFuzz: Building a Java Fuzzer for the Web – OWASP AppSec NYC 2008

This presentation was by Yiannis Pavlosoglou who is the developer on the OWASP fuzzing project.

Address the challenges of fuzzing, during applicaton layer penetration tests and security assessments.  Designed for fuzzing web applications.  Open-source and free.  Written in Java.  Scriptable.

Fuzzer Workflow

• Select fuzzers
• Send requests
• Collect responses
• Compare results

Building a fuzzer entails a stable, ease to use interface, a solid fuzzing engine, and unconventional protocol APIs.

Likely Problems:

• How do you group payloads?
• How do you customize/iterate through permutations?
• Cannot use Apache HTTP Commons
• Cannot use Java HTTP/S Libraries

Addressing Problems:

• Graphical User Interface
• Write requests/responses to a file
• Payloads read from file
• Payloads grouped into fuzzers
• Fuzzers grouped into categories
• Use TCP Sockets for fuzzing
• Implement POST "Content-Length"
• Support SSL sockets for fuzzing
• Support HTTP/1.1 chunked encoding

47 classes spread into 13 packages.  13,123 lines of java code.  Do one thing and do it well!  Tell the user what you are putting on the wire.  Don't obey HTTP/S.  Trust the JBroFuzz Core to generate payloads.

Roadmap

• MSI Installer
• Basic NTLM Authentication
• Proxy Requests
• Graphing Tab

E-mail yiannis@owasp.org with questions.

About Josh

Josh graduated in 2002 from the University of Texas at Austin with a BS in Computer Science. He was formerly a member of the Internet Systems team at AMD, a Systems Administrator with BearingPoint, and worked on a contract for the US Army before becoming a member of the Web Systems team at National Instruments in January of 2007. He recently attained his CISSP certification and specializes in the area of web application security.