OWASP JBroFuzz Payloads and Fuzzers
“If you can’t fuzz with JBroFuzz, you probably do not want to fuzz!”
The art of teaching, Mark Van Doren said, is the art of assisting discovery. Fuzzing is a representative discipline towards assisting the discovery of security vulnerabilities, that is just beginning to come of age. Over the last two years, through continuous development, JBroFuzz has attempted to expose the intrinsic beauty of the subject: Constantly submit a vast amount of payloads to a service, device or prompt, waiting for the one response that makes all the difference. This is the mentality that JBroFuzz embraces and attempts to offer back to security professionals.
Fuzzing as a concept goes beyond a conventional work flow or a standard methodology. I would argue that to know how to fuzz well, is to master a new language. Thus, similar to the process of learning a programming (or foreign) language, there are three things you must master:
• Grammar: How fuzzing as a process is structured
• Vocabulary: How to name fuzzing concepts you want to use
• Usage: Ways of achieving everyday effective results with fuzzing
The type of syntax in this section does not relate to coding examples, but more towards how fuzzers are grouped into categories and how the corresponding categories form a collection of payloads for different vulnerability types.
To summarise, this second part of the tutorial looks at what the primitive concepts employed by JBroFuzz are and how they are put to use. Without further redo, let’s get fuzzing!
Fuzzer Categories and Types
JBroFuzz contains approximately 50 fuzzers, grouped in a number categories. Each fuzzer is a collection of payloads that are used (at fuzzing runtime) in different ways. There are also different types of fuzzers.
In the eyes of a developer, a fuzzer in JBroFuzz is a java Iterator, i.e. a piece of code that loops through the corresponding values it has. Once the iteration is over, fuzzing stops.
In order to trigger this iteration process, a user must select their fuzzer of choice, based on a number of categories that it belongs to. Examples include, SQL Injection, to Cross Site Scripting (XSS) 101, to the Octal number system.
Each fuzzer has a number of different payloads, these are numbered in a set, thus forming an array. When defining a fuzzer, the order of payloads is important.
The type of iteration that a fuzzer performs while being executed corresponds to the type of fuzzer that it is. We have replacive fuzzers that are values of payloads being executed by substituting for a particular payload value, recursive fuzzers, such as the number system of hexadecimal values as well as more exotic categories (like zero fuzzers) that we shall investigate below.
Thus, if you want to perform a SQL injection check on a web application or service, you need to know to use a replacive fuzzer that has as payloads SQL injection payloads. On the other hand, if you want to iterate through values 000 to 777, you need to know to use a recursive fuzzer of length 3. Let's dig into each of the categories a bit more.
Cross Product Fuzzers
The .JBRF File Format
JBroFuzz has an internal file format for representing fuzzers. Within the JBroFuzz executable, there exists a file called fuzzers.jbrf that carries all the fuzzer definitions. If you unzip the JBroFuzz.jar file you will see it there. Let's look at a fuzzer definition example from that file, namely the XPATH fuzzer:
P:014-XPT-INJ:XPath Injection:10 > Replacive Fuzzers | XPath Injection | Injection >>This is a comment line to be changed in the future ' or '1'='1 ' or ''=' x' or 1=1 or 'x'='y / // //* */* @* count(/child::node()) x' or name()='username' or 'x'='y
Firstly, the fuzzers.jbrf file is flat ascii text file. It defines each entity with an opening line of the following format:
- C is an upper character corresponding to the fuzzer type. 'R' stands for recursive, 'P' for replacive, 'Z' for zero, etc.
- ddd-LLL-LLL is the fuzzer id starting with 3 digits, followed by a dash (-), 3 upper case characters, followed by a second dash (-) and a final set of 3 upper case characters. This value needs to be unique for each fuzzer.
- Name the fuzzer name
- d: The number of payloads a fuzzer actually has.