Revision as of 10:15, 13 October 2010 by Paulo Coimbra (Talk | contribs)

Jump to: navigation, search


JBroFuzz Screen Shot
JBroFuzz Splash Screen
Default Fuzzing Header
Results Screenshot

JBroFuzz is a web application fuzzer for requests being made over HTTP or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities.

Current version is 2.4. Get it from the SourceForge Download Section.


Release Notes (2.4):

  • Commandline support - main class analyzing and executing the commandline options
  • Added --no-execute option to command line support
  • Added "Connection: close" preference option to be added to the headers automatically
  • Massive UI revamp for Fuzzing Tab: Contains 3 Sub-Tabs: Input, Output, On the wire
  • Introduction of Fuzzing Transforms for those double-URL, triple-Base64 encodings
  • Added HTTP proxy support & authentication for checking updates
  • EncoderHashWindow improvements in keeping history within different row selections
  • Fixed ZBase32 Encoding/Decoding to work as Phil wants it to
  • Prefix/Suffix in Fuzzer Transforms: http://www.owasp.org/index.php/OWASP_JBroFuzz_Tutorial#Added_Fuzzer_Transformations
  • Added a plain-text encoder, similar to Zero-Fuzzer for theoretical completeness
  • Fixed a bunch of supposed "security holes" reported by static analyzers
  • Small Oracle payloads update

Vulnerability Identification

JBroFuzz generates requests, puts them on the wire and records the corresponding responses received back. It does not attempt to identify if a particular site is vulnerable or not; this requires further human analysis.

However, certain payloads included in fuzzers that can be used to generate requests (e.g. XSS) are crafted to attempt to successfully exploit flaws. Such flaws represent previously known vulnerabilities for web applications. JBroFuzz groups fuzzers with their corresponding payloads into a number of categories, depending on previously known vulnerabilities.

Thus, the human analyst would have to select the fuzzers to use in order to test against a particular set of vulnerabilities and review the results in order to recognize if exploitation succeeded or not.

JBroFuzz Documentation

Online Documentation

JBroFuzz Tutorial

Frequently Asked Questions (FAQs)

JBroFuzz Install Guide

JBroFuzz Payloads and Fuzzers

Built-in Documentation

Frequently Asked Questions: Help -> FAQ

Help Topics: Help -> Topics

Application Overview

The components of JBroFuzz are presented into tabs, with more options (encodings, hash calculator, headers from popular browsers) available under the Tools option. The basic components are:

Fuzzing The fuzzing tab is the main tab of JBroFuzz, responsible for all fuzzing operations performed over the network. Depending on the fuzzer payloads selected, it creates the malformed data for each request, puts it on the wire and writes the response to a file.

Graphing The graphing tab is responsible for graphing (in a variety of forms) the responses received while fuzzing. This tab can offer a clear indication of a response that is different then the rest received, an indication of further examination being required.

Payloads The payloads tab is a collection of fuzzers with their corresponding payloads that can be used while fuzzing. Payloads are added to the request in the fuzzing tab; a more clear view of what payloads are available, how they are grouped and what properties each fuzzer has can be seen in this tab.

Headers The headers window is a collection of browser headers that can be used while fuzzing. Headers are obtained from different browsers on different platforms and operating systems. This tab is provided, as many web applications respond differently to different browser impersonation attacks.

System The system tab represents the logging console of JBroFuzz at runtime. Here you can access java runtime information, see any errors that might occur and also track operation in terms of events being logged.


Building a web application fuzzer that sits at the rim of breaking known protocol specifications, can be a very time consuming exercise. Thus, JBroFuzz has a roadmap, based on how much time it would take to achieve each task.

You can find the project roadmap here.

Source Code

JBroFuzz is written in Java and requires a 1.6 JRE/JDK (or higher) installed, to run. It is constituted of more or less 70 classes, using, in total, 10 external libraries. It builds under Apache Ant.

SVN (Subversion) is a tool used by many software developers to manage changes within their source code tree. This project's SourceForge.net Subversion repository can be checked out through SVN with the following instruction set:

svn co https://jbrofuzz.svn.sourceforge.net/svnroot/jbrofuzz jbrofuzz

If the above sounds a bit greek, you can also browse through the complete source code at:


Feedback and Participation

We hope you find the OWASP JBroFuzz Project useful. Please contribute to the project by volunteering for one of the tasks on the roadmap, sending your comments, questions, and suggestions to subere@uncon.org.

To join the OWASP JBroFuzz Project mailing list or view the archives, please visit the subscription page.

Release SHA1SUM

Project About

{{Template:{{{1}}} | project_name = OWASP JBroFuzz Project | project_home_page = JBroFuzz

| project_description = JBroFuzz is a stateless web application fuzzer for requests being made over HTTP and/or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities. As a tool, it emerged from the needs of penetration testing.

| project_license = GNU General Public License v3

| leader_name1 = Ranulf Green | leader_email1 = ranulf.green@owasp.org | leader_username1 = Ranulf Green

| contributor_name1 = Yiannis Pavlosoglou | contributor_email1 = yiannis@owasp.org | contributor_username1 = Yiannis

| contributor_name2 = Markus Miedaner | contributor_email2 = markusmiedaner@googlemail.com | contributor_username2 =

| pamphlet_link =

| presentation_link =

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-jbrofuzz

| project_road_map = http://www.owasp.org/index.php/Category:OWASP_JBroFuzz_Project_-_Roadmap

| links_url1 = http://www.sourceforge.net/projects/jbrofuzz JBroFuzz's | links_name1 = Sourceforge Repository

| links_url2 = http://video.google.co.uk/videoplay?docid=6388655108193715653&q=jbrofuzz | links_name2 = Video Tutorial (to watch)

| links_url3 = http://sourceforge.net/project/showfiles.php?group_id=180679&package_id=209088&release_id=461300 Video Tutorial | links_name3 = Video Tutorial (to download);

| links_url4 = http://jbrofuzz.svn.sourceforge.net/viewvc/jbrofuzz/ | links_name4 = Java Documenation, source code and latest build

| links_url5 = http://java.sun.com/ | links_name5 = Run the JBroFuzz's application (you will need Java 1.6 Runtime Environment)

| release_1 = JBroFuzz 2.4

| release_2 = JBroFuzz 1.9

| release_3 = JBroFuzz 1.7

| release_4 =

| project_about_page = Projects/OWASP_JBroFuzz_Project