Category:OWASP JBroFuzz

From OWASP

Contents 1 QuickStart 1.1 Latest Features 1.2 Video Tutorial 2 Overview 2.1 Goals 3 Download 4 Payloads and Fuzzers 5 News 6 Roadmap 7 Feedback and Participation 8 Project Contributors

QuickStart

Current version is 1.1. Get it from the Download Section. Tested on Mac OSX, Win32, RHEL 4, Centos 4.x, Ubuntu, Linux Mint, Backtrack 3.

Latest Features

An MSI installer for windows platforms as well as a number of new payload fuzzer categories: XPATH, LDAP, XSS ASP.NET ValidateRequest, updated Cross Site Scripting Payloads.

Video Tutorial

Watch (medium quality) or download (high quality) the flash tutorial taking you through some basic fuzzing and sniffing tactics. This tutorial is on jbrofuzz-0.2.jar; the steps taken can also be performed on the latest version.

Overview

JBroFuzz is a web application protocol fuzzer that emerged from the needs of penetration testing. Written in Java, it allows for the identification of certain classess of security vulnerabilities, by means of creating malformed data and having the server/service in question consume the data.

Goals

The purpose of JBroFuzz is to provide a single, portable application that offers stable HTTP/x.x protocol fuzzing capabilities. Further to this, JBroFuzz groups together a number of popular payloads into corresponding categories, thus forming a reference for the vulnerabilities it attempts to identify.

If you can't fuzz with this version of JBroFuzz, you probably don't want to fuzz!!

Ultimately the above goal does help raise awareness around the subject of fuzzing and how that can be used to benchmark and assist in the security of applications using such protocols.

Download

You can download the latest version of JBroFuzz from SourceForge JBroFuzz Page.

The tutorial typically serves a very good starting point for any new user familiar or not so with fuzzing.

Java Documenation, the source code and the latest build can be obtained from the SubVersion SourceForge repository.

As JBroFuzz is a Java based application you do require a Java 1.6 Runtime Environment to be present in order to run the application.

Payloads and Fuzzers

   * DNA Uppercase Fuzzer
   * Lowercase Integer Overflows
   * Uppercase Integer Overflows
   * Lowercase Format Strings
   * Uppercase Format Strings
   * SQL Injection
   * Passive SQL Injection
   * Active SQL Injection
   * LDAP Injection
   * XPATH Injection
   * XSS 101
   * XSS 102
   * XSS JS Breaks
   * XSS IE
   * XSS Gecko
   * XSS Style Injection
   * XSS HTML Breaking
   * XSS Embed/Evade
   * XSS IMG Tag
   * ASP .NET ValidateRequest
   * XSS XML Injection
   * URI XSS
   * JSON
   * Server Side Includes
   * URL Breaking
   * Base16 (Hex) Uppercase
   * Alpha-Numeric Uppercase
   * Alpha Uppercase
   * Long Uppercase AAA's
   * Long Lowercase aaa's
   * DNA Uppercase Fuzzer

News

JBroFuzz is starting to shape upframework capabilities. With the addition of a new core interface, JBroFuzz offers an API, written in java 1.6 for fuzzing. This information requires developer background in java:

   * org.owasp.jbrofuzz.core

Through this package, a Fuzzer can be created by means of an Iterator, given the generator ID and the required length. The following example java code illustrates how JBroFuzz can be used to implement any number of generators, with their respective payloads, as part of a normal java Iterator:

   import org.owasp.jbrofuzz.core.*;

   public class MyFuzzerPrintingToTheScreen {

       public static void main(String[] args) {

           
           try {
                       for(Fuzzer f = new Fuzzer("NUM-HEX", 4); f.hasNext();) {
                               // Get the next payload value...
                               System.out.println(" The fuzzer payload is: " + f.next());
                       }

           } catch (NoSuchFuzzerException e) {
                       System.out.println("Could not find fuzzer " + e.getMessage());	
           }
       }
   
   }

Furthermore, by editing the file generators.jbrofuzz within the jar archive, a developer can include a list of new payloads, that generate new generators of Fuzzers.

Roadmap

A roadmap for versions 1.1 to 2.1 will be posted here.

Feedback and Participation

We hope you find the OWASP JBroFuzz Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to subere@uncon.org. To join the OWASP JBroFuzz Project mailing list or view the archives, please visit the subscription page.

Project Contributors

The project is lead by subere@uncon.orgClick here to return to OWASP Projects page.
Click here to see (& edit, if wanted) the template.

PROJECT IDENTIFICATION
Project Name	OWASP JBroFuzz Project
Short Project Description	This project is a stateless network protocol fuzzer that emerged from the needs of penetration testing. Written in Java, it allows for the identification of certain classess of security vulnerabilities, by means of creating malformed data and having the network protocol in question consume the data.
Email Contacts	Project Leader Yiannis Pavlosoglou	Project Contributors (if applicable) Name&Email	Mailing List/Subscribe Mailing List/Use	First Reviewer Dinis Cruz	Second Reviewer Name	OWASP Board Member (if applicable) Name&Email

PROJECT MAIN LINKS
Video Tutorial - medium quality (to watch) Video Tutorial - high quality (to download) Latest version of JBroFuzz Java Documenation, the source code and the latest build To run the JBroFuzz's application you need Java 1.6 Runtime Environment (If appropriate, more links to be added)

SPONSORS & GUIDELINES
Sponsor - OWASP Spring Of Code 2007	Sponsored Project/Guidelines/Roadmap

ASSESSMENT AND REVIEW PROCESS
Review/Reviewer	Author's Self Evaluation (applicable for Alpha Quality & further)	First Reviewer (applicable for Alpha Quality & further)	Second Reviewer (applicable for Beta Quality & further)	OWASP Board Member (applicable just for Release Quality)
50% Review	Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit:50% Review/Self-Evaluation (A)	Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit: 50% Review/1st Reviewer (C)	Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit: 50%Review/2nd Reviewer (E)	X
Final Review	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/SelfEvaluation (B)	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/1st Reviewer (D)	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/2nd Reviewer (F)	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See/Edit: Final Review/Board Member (G)

This category currently contains no articles or media.