All Downloads are FREE. Search and download functionalities are using the official Maven repository.

help.topics-01.html Maven / Gradle / Ivy

Go to download

JBroFuzz is a stateless web application fuzzer for requests being made over HTTP and/or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities. As a tool, it emerged from the needs of penetration testing.

There is a newer version: 2.5.1
Show newest version





Fuzzing Tab  

The fuzzing tab is the main tab of JBroFuzz, responsible for all fuzzing operations performed over the network. Depending on the fuzzer payloads selected, it creates the malformed data for each request, puts it on the wire and writes the response to a file.


Getting Started: Having selected the fuzzing tab, click "Start" in the tool bar menu. This will send a single request and record the corresponding response.


The fuzzing tab is comprised of the following 5 components, described below:

 

URL The URL component is where protocol, hostname and port information is entered. In a different manner than the URL entered in a browser, only the protocol, hostname and port information is read from this component. Examples include:

 

http://www.someurl.com:8088
https://www.gmail.com
http://www.owasp.org
http://www.microsoft.com

 

Tip: To copy and paste a browser URL use "File" - "Open Location " [Ctrl + L] option from the file menu.

 

Request The request component is where request information is entered. Text entered in this component represents what will be placed on the wire. The default end of line character is: "\r\n" and can be changed through the preferences option from the file menu. Finally, payloads can be added to parts of the request text entered. Depending on the payload and length selected, this will increase the number of requests sent, consecutively, to the specified host. See also: On The Wire. An example request is:

 

GET /index.php/Main_Page HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

 

Payloads The payloads component represents the record of what payloads have been added to the request and at which point. Payloads can be added or removed, using the "Add" or "Remove" options available in the menu. An example of a payload added is:

 

B10-DEC : 13 : 14

 

Meaning that all base 10 fuzzer payloads will be sent as part of the request, replacing the 13th to 14th characters of the request with the consecutive values {0, 1, 2, ..., 9}. In this case, we are using this fuzzer to test supported HTTP versions on a given host.

 

Tip: To add a payload, select part of the request and select the "Add" [Ctrl + =] option from the file or tool bar menu. Proceed to select the fuzzer of payloads required and select "Add Fuzzer".

 

On The Wire  The on the wire component shows all data as it is placed on the wire. Typically, this data will be a combination of the request and selected payloads sent while fuzzing.

 

Output The output panel keeps a record of each response received back from the host while fuzzing. It represents a record of what is being written to file as it is being received.

 

Response Output

For each request transmitted, the response received is recorded to file by JBroFuzz. Files saved are also used to perform graphing operations (see "Graphing Tab").

 

The characteristics monitored are the following:

 

No: The number given to the request sent.

 

Target: The target host, protocol and port (if any).

 

Status: The HTTP status code (if any) received back.

 

Response Time: The time, in milliseconds that it took to receive back the response, since the request was sent.

 

Response Size: The size, in bytes of the response received.

 


 






© 2015 - 2024 Weber Informatics LLC | Privacy Policy