Category:OWASP JBroFuzz

From OWASP

Contents 1 QuickStart 1.1 Latest Features 1.2 Video Tutorial 2 Overview 2.1 Goals 3 Download 4 Features and Screenshots 5 News 6 Roadmap 7 Feedback and Participation 8 Project Contributors

QuickStart

The first major release of JBroFuzz is out! Current version is 1.0. Get it from the Download Section. Tested on Mac OSX, Win32, RHEL 4, Centos 4.x, Backtrack 3 (beta).

Latest Features

ToolBar, SplashScreen, Help Tutorials, new XSS Generators, SSL Support, Database retrieval

Video Tutorial

Watch (medium quality) or download (high quality) the flash tutorial taking you through some basic fuzzing and sniffing tactics. This tutorial is on jbrofuzz-0.2.jar; the steps taken can also be performed on the latest version.

Overview

JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. Written in Java, it allows for the identification of certain classess of security vulnerabilities, by means of creating malformed data and having the network protocol in question consume the data.

Goals

The purpose of this application is to provide a single, portable application that offers stable network protocol fuzzing capabilities. A number of frameworks as well as APIs exist for fuzzing; these require a certain skill level to understand and use, which often acts as a barrier when constrained by time.

If you can't fuzz with this version of JBroFuzz, you probably don't want to fuzz!!

Ultimately the above goal does help raise awareness around the subject of fuzzing and how that can be used to benchmark and assist in the security of applications using such protocols.

Download

You can download the latest version of JBroFuzz from SourceForge JBroFuzz Page.

The tutorial typically serves a very good starting point for any new user familiar or not so with fuzzing.

Java Documenation, the source code and the latest build can be obtained from the SubVersion SourceForge repository.

As JBroFuzz is a Java based application you do require a Java 1.6 Runtime Environment to be present in order to run the application.

Features and Screenshots

   * Graphing functionality has been added to the fuzzing tab
   * A list of ~58000 popular directories is provided
   * Basic cross site scripting (XSS) checks 
   * Basic SQL injection (SQL) checks 
   * Buffer overflows (BFO) checks
   * Format string errors (FSE) checks
   * Integer overflows (INT) checks
   * Help Topics
   * Frequently Asked Questions (mail your questions!)
   * Preferences

News

JBroFuzz is starting to shape framework capabilities. With the addition of a new core interface, JBroFuzz offers an API, written in java 1.6 for fuzzing. This information requires developer background in java:

   * org.owasp.jbrofuzz.core

Through this package, a Fuzzer can be created by means of an Iterator, given the generator ID and the required length. The following example java code illustrates how JBroFuzz can be used to implement any number of generators, with their respective payloads, as part of a normal java Iterator:

   import org.owasp.jbrofuzz.core.*;

   public class MyFuzzerPrintingToTheScreen {

       public static void main(String[] args) {

           
           try {
                       for(Fuzzer f = new Fuzzer("NUM-HEX", 4); f.hasNext();) {
                               // Get the next payload value...
                               System.out.println(" The fuzzer payload is: " + f.next());
                       }

           } catch (NoSuchFuzzerException e) {
                       System.out.println("Could not find fuzzer " + e.getMessage());	
           }
       }
   
   }

Furthermore, by editing the file generators.jbrofuzz within the jar archive, a developer can include a list of new payloads, that generate new generators of Fuzzers.

Roadmap

With the release of JBroFuzz 0.8, a number of additions with focus on HTTP/S have been implemented. Based on the requirements from SpoC 2007, the key tabs proposed to be added during the spring of code 2007 were:

   * [Done] Open Source Tab
   * [xxxx] NTLM Brute Force over HTTP/S Tab
   * [Done] Pure HTTP/S Fuzzing using HTTPClient
   * [Done] Blind SQL Injection Fuzzing Tab (via implementing a new Generators Database)

At the same time, the following existing tabs need to be updated and made more robust (details in next section):

   * [Done] TCP Fuzzing tab allowing graph outputs
   * [Done] TCP Sniffing tab update thread Agent Queue
   * [Done] Update Generators file format
   * [Done] Include SOAP and XML fuzzing 

Now a single "Fuzzing" tab has been implemented, giving greater care to POST message, byte size response and the ability to add generators more intuitively. Thus, instead of adding more tabs, features have been added to enhance the way fuzzing payloads are added to the request.

Feedback and Participation

We hope you find the OWASP JBroFuzz Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to subere@uncon.org. To join the OWASP JBroFuzz Project mailing list or view the archives, please visit the subscription page.

Project Contributors

The project is lead by subere@uncon.orgClick here to return to OWASP Projects page.
Click here to see (& edit, if wanted) the template.

PROJECT IDENTIFICATION
Project Name	OWASP JBroFuzz Project
Short Project Description	This project is a stateless network protocol fuzzer that emerged from the needs of penetration testing. Written in Java, it allows for the identification of certain classess of security vulnerabilities, by means of creating malformed data and having the network protocol in question consume the data.
Email Contacts	Project Leader Yiannis Pavlosoglou	Project Contributors (if applicable) Name&Email	Mailing List/Subscribe Mailing List/Use	First Reviewer Dinis Cruz	Second Reviewer Name	OWASP Board Member (if applicable) Name&Email

PROJECT MAIN LINKS
Video Tutorial - medium quality (to watch) Video Tutorial - high quality (to download) Latest version of JBroFuzz Java Documenation, the source code and the latest build To run the JBroFuzz's application you need Java 1.6 Runtime Environment (If appropriate, more links to be added)

SPONSORS & GUIDELINES
Sponsor - OWASP Spring Of Code 2007	Sponsored Project/Guidelines/Roadmap

ASSESSMENT AND REVIEW PROCESS
Review/Reviewer	Author's Self Evaluation (applicable for Alpha Quality & further)	First Reviewer (applicable for Alpha Quality & further)	Second Reviewer (applicable for Beta Quality & further)	OWASP Board Member (applicable just for Release Quality)
50% Review	Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit:50% Review/Self-Evaluation (A)	Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit: 50% Review/1st Reviewer (C)	Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit: 50%Review/2nd Reviewer (E)	X
Final Review	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/SelfEvaluation (B)	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/1st Reviewer (D)	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/2nd Reviewer (F)	Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See/Edit: Final Review/Board Member (G)

This category currently contains no articles or media.