{"id":92,"date":"2008-09-24T13:31:51","date_gmt":"2008-09-24T18:31:51","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=92"},"modified":"2008-09-24T13:31:51","modified_gmt":"2008-09-24T18:31:51","slug":"jbrofuzz-building-a-java-fuzzer-for-the-web-owasp-appsec-nyc-2008","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2008\/09\/24\/jbrofuzz-building-a-java-fuzzer-for-the-web-owasp-appsec-nyc-2008\/","title":{"rendered":"JBroFuzz: Building a Java Fuzzer for the Web &#8211; OWASP AppSec NYC 2008"},"content":{"rendered":"<p>This presentation was by <a class=\"external text\" title=\"http:\/\/www.owasp.org\/index.php\/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou\" rel=\"nofollow\" href=\"http:\/\/www.owasp.org\/index.php\/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou\">Yiannis Pavlosoglou<\/a> who is the developer on the OWASP fuzzing project.<\/p>\n<p>Address the challenges of fuzzing, during applicaton layer penetration tests and security assessments.\u00a0 Designed for fuzzing web applications.\u00a0 Open-source and free.\u00a0 Written in Java.\u00a0 Scriptable.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Fuzzer Workflow<\/strong><\/span><\/p>\n<ul>\n<li>Select fuzzers<\/li>\n<li>Send requests<\/li>\n<li>Collect responses<\/li>\n<li>Compare results<\/li>\n<\/ul>\n<p>Building a fuzzer entails a stable, ease to use interface, a solid fuzzing engine, and unconventional protocol APIs.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Likely Problems:<\/strong><\/span><\/p>\n<ul>\n<li>How do you group payloads?<\/li>\n<li>How do you customize\/iterate through permutations?<\/li>\n<li>Cannot use Apache HTTP Commons<\/li>\n<li>Cannot use Java HTTP\/S Libraries<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Addressing Problems:<\/strong><\/span><\/p>\n<ul>\n<li>Graphical User Interface<\/li>\n<li>Write requests\/responses to a file<\/li>\n<li>Payloads read from file<\/li>\n<li>Payloads grouped into fuzzers<\/li>\n<li>Fuzzers grouped into categories<\/li>\n<li>Use TCP Sockets for fuzzing<\/li>\n<li>Implement POST &#8220;Content-Length&#8221;<\/li>\n<li>Support SSL sockets for fuzzing<\/li>\n<li>Support HTTP\/1.1 chunked encoding<\/li>\n<\/ul>\n<p>47 classes spread into 13 packages.\u00a0 13,123 lines of java code.\u00a0 Do one thing and do it well!\u00a0 Tell the user what you are putting on the wire.\u00a0 Don&#8217;t obey HTTP\/S.\u00a0 Trust the JBroFuzz Core to generate payloads.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Roadmap<\/strong><\/span><\/p>\n<ul>\n<li>MSI Installer<\/li>\n<li>Basic NTLM Authentication<\/li>\n<li>Proxy Requests<\/li>\n<li>Graphing Tab<\/li>\n<\/ul>\n<p>E-mail yiannis@owasp.org with questions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This presentation was by Yiannis Pavlosoglou who is the developer on the OWASP fuzzing project. Address the challenges of fuzzing, during applicaton layer penetration tests and security assessments.\u00a0 Designed for fuzzing web applications.\u00a0 Open-source and free.\u00a0 Written in Java.\u00a0 Scriptable. Fuzzer Workflow Select fuzzers Send requests Collect responses Compare results Building a fuzzer entails a [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[127],"tags":[76,128,144,145,12,622],"class_list":["post-92","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-nyc-2008","tag-application","tag-appsec","tag-fuzzer","tag-jbrofuzz","tag-owasp","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-1u","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/92","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=92"}],"version-history":[{"count":2,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/92\/revisions"}],"predecessor-version":[{"id":94,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/92\/revisions\/94"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=92"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=92"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=92"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}