Fuzzing Options

The Fuzzing options are the options which alters the fuzzing process of the BrowserBruter.

There are following fuzzing options available-

Fuzzing Options:
  --fill e1,elemn3,user,npass,id
                        Auto fill the specified elements, useful when web page is complex when you want to target specific fields only.
  --fill-values /path/to/file.json
                        [Optional] Path to User provided elements values file. See sample-file-for-giving-form-values.json
  --buttons-to-press-before-fuzz visibleform,ok,confirm,pressthis
                        Supply list of buttons to be pressed in sequence before filling the form, useful if form submission requires some action or form is invisible until some button is pressed.[Note if the button is not clickable element, then use --javascript and supply javascript to click the element.]
  --press-enter-no-click
                        This switch will force the Browser Bruter to send ENTER key instead of clicking the button, useful when form is submitted when pressing entering on text field and there are no buttons to click.
  --delay-before 0.2    Delay before fuzz attempt.
  --delay-after 0.2     Delay after fuzz attempt.
  --threads 3           Specifies number of browsers instances to be run, max value is 20, default is 1, lower the instances slower and stable the fuzzing process, more instances - faster and unstable fuzzing process. Note: The higher amount of threads consumes more system resources.
  --pause               Pause the BrowserBruter instances on startup, press ENTER to resume.
  --interactive         Pause the BrowserBruter before fuzzing any element at each payload and wait for user to continue.
  --pause-after-submit  Pause the script after pressing the submit button to allow pentester to interact with the web application.
  --reload-page         This switch tells The Browser Bruter to reload the page before fuzzing the form on each iteration, useful when result of previous iteration causes the web elements to disappear or which leads to elements not found error, in such case this switch helps to keep browser bruter running.
  --form changePasswordForm
                        Specify id,name,class of form to fuzz in case of multiple forms
  --remove-class cdk-text-field-autofill-monitored
                        Provide a list of elements from which you want to remove the class attribute, extremely useful when element is linked to some class with extreme javascript input validation or makes the element not intractable, you can still select this element by providing it's class name.

The --fill option

The --fill option allows pentester's to specify the input elements or fields which are required to be filled automatically by BrowserBruter in order to successfully submit the form.

For Example, suppose we have Login Page with two input fields - 1. Username & 2. Password. Now in order to submit this form, it requires both of these fields to be filled before sending their values to server.

In such case, we can auto fill these values by specifying them with --fill username,password

This is also useful when you don't want to fuzz any specific field want to fill it. For example let's suppose there is check box saying Accept The Terms before allowing you to login. Now you want to bruteforce this login page but it requires accepting this checkbox then you can specify to fill this checkbox automatically using 

python3 BrowserBruter.py --elements-payloads userid:ids.txt,pass:passwords.txt --target http://localhost/login.php --attack 4 --fill term

The --fill-values option

The BrowserBruter will automatically fill the elements specified in --fill option based on their type attribute. However, if pentester wants to provide custom values for this types, it can do it via providing a json file as following - 

{
        "text":"text",
        "number":"1234567890",
        "password":"P2$$@@wrd0!@#JJJ",
        "email":"email@email.com",
        "url":"http://localhost.xyz/",
        "file":"name.txt",
        "tel":"1234567890",
        "date":"2023-06-17",
        "datetime":"2023-07-17T10:30",
        "time":"10:30",
        "month":"2023-07",
        "week":"2023-W25",
        "color":"#ff0000",
        "range":"50",
        "textarea":"AtextForTextArea"
}

Here, right hand side values represents the types of elements and right hand side values are the values which will be filled in the elements. You can change these right hand side values according to your needs. However, the .json file must contain all the other types, even if it is not changed.

For example, if I want to change the default value of "tel" type, I will simply change it's value and provide file with following content - 

{
        "text":"text",
        "number":"1234567890",
        "password":"P2$$@@wrd0!@#JJJ",
        "email":"email@email.com",
        "url":"http://localhost.xyz/",
        "file":"name.txt",
        "tel":"0987654321",
        "date":"2023-06-17",
        "datetime":"2023-07-17T10:30",
        "time":"10:30",
        "month":"2023-07",
        "week":"2023-W25",
        "color":"#ff0000",
        "range":"50",
        "textarea":"AtextForTextArea"
}

There is no need to specify values for select, options, checkbox and radio buttons as they already have pre-defined value in web page.

Handling Basic Navigation Using --buttons-to-press-before-fuzz option

There are scenarios where we need to click a button or two to navigate to the page or make the form which we need to fuzz appear. For tackling such navigation, you can use --buttons-to-press-before-fuzz option which takes comma separated list of elements which The BrowserBruter will click in sequential manner.

For example, in below scenario of our test application, there is an option to add brand. Now in order to make that form active, we have to click on Add Brand button.

We can handle this navigation using following 

python3 BrowserBruter.py --buttons-to-press-before-fuzz button1 --elements brandName,brandStatus --payloads fuzz.txt --target http://localhost/brand.php --cookie PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2 --attack 1 --button createBrandBtn --fill brandName,brandStatus

Here, 

- `--buttons-to-press-before-fuzz button1` specify the 'Add Brand' button to press to make form appear.
- `--elements` are the elements to fuzz.
- `--payloads` are the file containing payloads.
- `--target` is the URL of target page.
- `--cookie` is the cookie for authentication. Learn more about session handling [here](session.md)
- `--attack 1` specifies the attack mode as Sniper.
- `--button` specifies the button which submits the form.
- `--fill` specifies required fields in form.

Following is the Live demonstration of above command -

Pressing ENTER instead of clicking the button using --press-enter-no-click switch

Sometimes, the filled values are submitted to server when you press enter on element you are filling the values i.e. search field. In such scenarios the --press-enter-no-click switch can be used to send "ENTER" key instead of clicking the --button.

For example, in OWASP Juice Shop, there is search functionality.

Here, In order to fuzz this search bar, first we have to click on the search icon then we have to send 'ENTER' key after filling the values using --press-enter-no-click switch as follows - 

python3 BrowserBruter.py --elements mat-input-0 --button mat-input-0 --attack 1 --target http://localhost:3000/#/ --cookie welcomebanner_status:dismiss --payloads fuzz.txt --buttons-to-press-before-fuzz searchQuery --press-enter-no-click --remove-class mat-input-0

Here,

  • --elements is the search field.
  • --button is also the search field.
  • --attack is sniper attack mode.
  • --target is the target URL.
  • --cookie is the cookie supplied to server and stored in browser.
  • --payloads is the file containing payloads.
  • --buttons-to-press-before-fuzz is search icon we are clicking to open the search bar.
  • --press-enter-no-click is the switch sending "ENTER" key to --button field which is mat-input-0 the search field.
  • --remove-class is the option to remove class attribute from element. We will learn about it next.

Following is the live example of BrowserBruter in working to tackle above scenario -

Removing client side input validation by removing class using --remove-class option

Some times, the input is being sanitized at client side after filling it in input field. There are scenarios where input elements class attribute has specific value, which triggers this input sanitization.

For example, in above scenario, where we are fuzzing the search bar, if we do not remove the class attribute from search field, then notice that no search operation will take place.

python3 BrowserBruter.py --elements mat-input-0 --button mat-input-0 --attack 1 --target http://localhost:3000/#/ --cookie welcomebanner_status:dismiss --payloads fuzz.txt --buttons-to-press-before-fuzz searchQuery --press-enter-no-click

As can be seen in above example, no search operation is taken place due to special characters or any reason. Hence let's try to tackle this by removing the class attribute from search field.

python3 BrowserBruter.py --elements mat-input-0 --button mat-input-0 --attack 1 --target http://localhost:3000/#/ --cookie welcomebanner_status:dismiss --payloads fuzz.txt --buttons-to-press-before-fuzz searchQuery --press-enter-no-click --remove-class mat-input-0

And we have successfully tackled this issue as can be seen below.

Controlling Attack Speed Using --delay-before and --delay-after options

The --delay-before and --delay-after options (as name suggests) are used to cause delay before and after filling the form respectively.

This are useful when web page is complex or takes some time to load or there are many operations taking place.

Note: Whenever BrowserBruter crashes due to element not found or any browser related error in the middle of the attack (after three or four iterations), it is good practice to reduce the speed of The BrowserBruter using these options.

There is no requirement to mention both options at same time, you can specify only one and not specify other according to your needs. For example, if web page takes a time to load the element go with the --delay-before options, if there are some operations taking place after submitting the form then go with the --delay-after option. Or go with the both as required.

Both arguments takes values in seconds in following format -

  • --delay-before 1 delay of 1 second
  • --delay-after 0.5 delay of half second
  • --delay-before 2.5 delay of 2 and half second
  • --delay.after 0.1 delay of 100 milliseconds

For Example, following will add delay of 1 second before filling the form and delay of 2 seconds after filling the form -

python3 BrowserBruter.py --buttons-to-press-before-fuzz button1 --elements brandName,brandStatus --payloads fuzz.txt --target http://localhost/brand.php --cookie PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2 --attack 1 --button createBrandBtn --fill brandName,brandStatus --delay-before 1 --delay-after 0.5

Which is pretty noticeable as shown below -

Unleashing The --threads

The BrowserBruter can be speed up using --threads. Here the threads are the number of browser instances the BrowserBruter will spawn and control simultaneously. The payloads then will be equally divided among the browser instances. Hence, increasing system resource consumption and speeding up to fuzzing process.

The maximum threads the BrowserBruter supports is 20. Least required is 1.

For Example, here we are running the BrowserBruter with 5 threads.

Unique progress bar for their respective browser instance is shown on the console.

alt text

Using more threads can reduce the fuzzing process time drastically, for example here we have same attack but first one is with one thread and second is with 20 threads and there is huge difference of time in terms of amount of payloads.

  1. alt text

  2. alt text

Warning: Although increasing the threads reduces fuzzing time and speeds up the BrowserBruter, the more system resources will be consumed with increased number of threads and some times breaks the web pages and results in crashes. It is recommended to use --delay-before or --delay-after option in case of crashes due to higher number of threads or use lesser threads when system resources are not sufficient enough.

TL;DR: The higher the number of threads - more speed, less fuzzing time, more system resource requirements, more un-stability in fuzzing. The lesser the number of threads - stable fuzzing, less speed, less system requirements.

Pause on startup using --pause switch

The --pause switch will pause the BrowserBruter on startup after it has spawned the browser instance. This will allow you to manually perform any action before starting the fuzzing process.

For example, here we are manually login to the application before fuzzing the Add Brand functionality - 

python3 BrowserBruter.py --buttons-to-press-before-fuzz button1 --elements brandName,brandStatus --payloads fuzz.txt --target http://localhost/brand.php --attack 1 --button createBrandBtn --fill brandName,brandStatus --pause

As can be seen above, after spawning the browser, the BrowserBruter pauses its execution and waits for users signal to resume. The BrowserBruter can be resumed by pressing ENTER key twice on the console.

The Interactive Mode using --interactive switch

The Interactive mode might look simple at first is by far the most handy mechanism during solving captchas, error handling, performing manual interactions. Think of it as --puase switch but valid for each fuzzing attempt.

It gives total control of browser to pentester during each fuzzing attempt.

The most useful use case of this is solve captchas manually.

Here is a live demonstration of --interactive switch

python3 BrowserBruter.py --buttons-to-press-before-fuzz button1 --elements brandName,brandStatus --payloads fuzz.txt --target http://localhost/brand.php --attack 1 --button createBrandBtn --fill brandName,brandStatus --interactive

As can be seen above, the BrowserBruter pauses before each fuzz attempt.

Note: You can still enter and exit Interactive mode during middle of the fuzzing using 'y' and 'n' keys respectively.

alt text

The interactive mode after form submission - --pause-after-submit switch

As name suggests the --pause-after-submit pauses the BrowserBruter after pressing the --button supplied button. This allows pentester to perform some manual interaction after pressing the button.

For example 

python3 BrowserBruter.py --buttons-to-press-before-fuzz button1 --elements brandName,brandStatus --payloads fuzz.txt --target http://localhost/brand.php --attack 1 --button createBrandBtn --fill brandName,brandStatus --cookie PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2 --pause-after-submit

The --pause-after-submit switch can be combined with --interactive to enable pause before and after of each fuzz attempt.

Reloading the page before fuzzing it using --reload-page switch

Due to XHR technology, there might be scenarios where elements you were fuzzing will disappear after submission of the form, and page does not reloads due to XHR, In such scenarios or in any case where you want to first reload the page before fuzzing it, the --reload-page switch can be used.

The --reload-page switch force reloads the target web page, ensuring that the all the elements appear in DOM of the web page.

Specifying the form using --form option

In case of multiple forms having elements with same identifiers (id or name, which is extremely rare) you can specify the which form to fuzz by specifying its identifier (id, name or class) using --form option.

Hope on to the next section to learn about Session Handling Options.

results matching ""

    No results matching ""