OWASP JBroFuzz Payloads and Fuzzers

Introduction
“If you can’t fuzz with JBroFuzz, you probably do not want to fuzz!”

Old JBroFuzz Motto

The art of teaching, Mark Van Doren said, is the art of assisting discovery. Fuzzing is a representative discipline towards assisting the discovery of security vulnerabilities, that is just beginning to come of age. Over the last two years, through continuous development, JBroFuzz has attempted to expose the intrinsic beauty of the subject: Constantly submit a vast amount of payloads to a service, device or prompt, waiting for the one response that makes all the difference. This is the mentality that JBroFuzz embraces and attempts to offer back to security professionals.

Fuzzing as a concept goes beyond a conventional work flow or a standard methodology. I would argue that to know how to fuzz well, is to master a new language. Thus, similar to the process of learning a programming (or foreign) language, there are three things you must master:

• Grammar: How fuzzing as a process is structured • Vocabulary: How to name fuzzing concepts you want to use • Usage: Ways of achieving everyday effective results with fuzzing

From the pre-existing information available for JBroFuzz, this tutorial focuses on the vocabulary: Through a baptism of fire, this fuzzing tool had to develop a process for storing and making different payloads available for fuzzing. This section details the way this process has evolved during the continuous development of JBroFuzz.

The type of syntax in this section does not relate to coding examples, but more towards how fuzzers are grouped into categories and how the corresponding categories form a collection of payloads for different vulnerability types.

To summarise, this second part of the tutorial looks at what the primitive concepts employed by JBroFuzz are and how they are put to use. Without further redo, let’s get fuzzing!

Fuzzer Categories and Types
JBroFuzz contains approximately 50 fuzzers, grouped in a number categories. Each fuzzer is a collection of payloads that are used (at fuzzing runtime) in different ways. There are also different types of fuzzers.

In the eyes of a developer, a fuzzer in JBroFuzz is a java Iterator, i.e. a piece of code that loops through the corresponding values it has. Once the iteration is over, fuzzing stops.

In order to trigger this iteration process, a user must select their fuzzer of choice, based on a number of categories that it belongs to. Examples include, SQL Injection, to Cross Site Scripting (XSS) 101, to the Octal number system.

Each fuzzer has a number of different payloads, these are numbered in a set, thus forming an array. When defining a fuzzer, the order of payloads is important.

The type of iteration that a fuzzer performs while being executed corresponds to the type of fuzzer that it is. We have replacive fuzzers that are values of payloads being executed by substituting for a particular payload value, recursive fuzzers, such as the number system of hexadecimal values as well as more exotic categories (like zero fuzzers) that we shall investigate below.

Thus, if you want to perform a SQL injection check on a web application or service, you need to know to use a replacive fuzzer that has as payloads SQL injection payloads. On the other hand, if you want to iterate through values 000 to 777, you need to know to use a recursive fuzzer of length 3. Let's dig into each of the categories a bit more.