help.topics-00.html Maven / Gradle / Ivy
Help Topics
JBroFuzz has been designed for fuzzing web applications that use the HTTP1 and/or the HTTPS2 protocol. This is a penetration testing tool.
This one-page summary describes the components of JBroFuzz. For more detailed information on each of the the mentioned (in bold) below, use the left-hand menu to navigate to a particular topic.
When JBroFuzz is launched, the first thing that you see (after the splash screen) is a single window with 4 tabs. Each tab represents a particular component of the application. You can navigate through the tabs by clicking on each one located (by default) at the bottom left corner within the window of the application.
Tip: You can also show or hide individual tabs by using the "View" - "Show/Hide" menu and then selecting the corresponding tab.
The components of JBroFuzz are all integrated into a single window and can be accessed through individual tabs. These tabs are:
Fuzzing The fuzzing tab is the main tab of JBroFuzz, responsible for all fuzzing operations performed over the network. Depending on the fuzzer payloads selected, it creates the malformed data for each request, puts it on the wire and writes the response to a file.
Graphing The graphing tab is responsible for graphing (in a variety of forms) the responses received while fuzzing. This tab can offer a clear indication of a response that is different then the rest received, an indication of further examination being required.
Payloads The payloads tab is a collection of fuzzers with their corresponding payloads that can be used while fuzzing. Payloads are added to the request in the fuzzing tab; a more clear view of what payloads are available, how they are grouped and what properties each fuzzer has can be seen in this tab.
Headers The headers tab is a collection of browser headers that can be used while fuzzing. Headers are obtained from different browsers on different platforms and operating systems. This tab is provided, as many web applications respond differently to different browser impersonation attacks.
Tip: Access the System tab to monitor JBroFuzz operations and verbose messages.
System The system tab represents the logging console of JBroFuzz at runtime. Here you can access java runtime information, see any errors that might occur and also track operation in terms of events being logged.
Fuzzing Fundamentals
An excellent starting point for fuzzing articles is:
B.P. Miller, L. Fredriksen, and B. So, "An Empirical Study of the Reliability of UNIX Utilities", Communications of the ACM 33, 12 (December 1990). Also appears (in German translation) as "Fatale Fehlertractigkeit: Eine Empirische Studie zur Zuverlassigkeit von UNIX-Utilities", iX, March 1991.
Fuzzing is a methodology for software testing, which stems from Boundary Value Analysis (BVA)3. This methodology can take many forms depending on the desired tests performed4.
Fuzzers are applications developed to perform fuzzing. These applications fall in a variety of different categories, called fuzzer types. From known fuzzer types5, JBroFuzz falls in the category of a web application fuzzer, a subset category of network protocol fuzzers.
References:
[1] http://en.wikipedia.org/wiki/Http
[2] http://tools.ietf.org/html/rfc2818
[3] http://en.wikipedia.org/wiki/Boundary_value_analysis
[4] http://marc2.theaimsgroup.com/?l=spike&m=105606327823227&w=2
[5] M Sutton, A Greene, P Amini, "Fuzzing: Brute Force Vulnerability Discovery", 2007, pp. 33-44
Academic Links:
Fuzz Testing of Application Reliability
http://pages.cs.wisc.edu/~bart/fuzz/fuzz.html