The BrowserBruter is highly customizable & extendable tool based on the requirements of pentester to tackle many complex scenarios.

It has rich set of option to both customize & extend it's working, these options are -

JavaScript and Navigation Handling:
  --auto-remove-javascript-validation
                        This switch will tell The Browser-Bruter to not remove common javascript input validations mechanisms. Useful if removing of javascript validation breaks the web app.
  --javascript "alert(1);"
                        Javascript code to run on browser
  --javascript-after JAVASCRIPT_AFTER
                        Javascript code to run on browser after pressing and submitting the button.
  --javascript-file /path/to/javascript/file.js
                        Javascript file containing javascript code to execute
  --replace-code "alert(1);","alert(0);"
                        Replaces the code in response body with the code provided by user in following format - "CODE_TO_REPLACE1","REPLACEMENT_CODE1","CODE_TO_REPLACE2","REPLACEMENT_CODE2"
  --replace-files /path/to/validation_file.js
                        Replace the content of a file in HTTP responses.

The Art of Browser Automation using javascript - `--javascript`, `-javascript-after` and `--javascript-file` options

In simplest terms, the --javascript options takes javascript from pentester and executes it. The --javascript-after is same just executes javascript after --button is pressed. The --javascript-file is same as --javascript option just takes .js files to execute.

Looks generic, but in reality, this is one of the critical feature of the BrowserBruter as it extends its functionality beyond implemented unlocking countless possibilities of environment where BrowserBruter can run. [Note: the browser automation can also be done using python language which is more capable than using javascript option]

To give you an example of how powerful this feature is, following is an example of OWASP WebGoat 6.0 (Legacy).

Here, this is a JSON injection page from OWASP WebGoat 6.0 (Legacy). Here after enter names of the airports, the list of flights appears. Then after selecting the flight you can submit the form. Now though looks simple, there is no way to automatically fuzz this form BrowserBruter only. Because here we have first fill the airports fields to make the flights appear, then select the flight and then inject the payloads.

But by extending functionality of the BrowserBruter using javascript, we can even fuzz this types of navigations and forms easily.

Here, first understand the logic of how the flights are being fetched by inspecting the elements as shown below -

After understanding and the logic, write a javascript to automate these navigations, for example to tackle this webgoat example -

 python3 BrowserBruter.py --target http://10.13.37.3:8080/webgoat/start.mvc#attack/1426618575/400 --elements travelFrom,travelTo,radio0,price2Submit --button SUBMIT --attack 1 --payloads fuzz.txt --include-url "http://10.13.37.3:8080/webgoat/attack?Screen=1426618575&menu=400" --cookie ASP.NET_SessionId:fawx1oxcfm0fd4gvzmej5oco,JSESSIONID:5A0B131D432F8E0F832DC958F31AD6D4 --fill radio0 --reload-page --replace-code "return check()","return true" --javascript "
           document.querySelector('#travelFrom').value = 'BOS';
           document.querySelector('#travelTo').value = 'SEA';
           getFlights('http://10.13.37.3:8080/webgoat/attack?Screen=1426618575&menu=400');
"

And we have automate all of the navigation -

As we can see above, we are able to fuzz this form by extending the functionality of the BrowserBruter and the server is panicking due to unexpected malicious payloads.

Other less complex example of automating navigation using javascript is following where, we have wrote javascript to click two button to make the form appear before we inject the payloads into form.

python3 BrowserBruter.py --elements editBrandStatus,editBrandName,brandId --payloads sqli.txt --button editBrandBtn --target http://localhost/brand.php --cookie PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2 --attack 1 --delay-before 0.3 --fill editBrandName --javascript "document.querySelector('button.btn.btn-default.dropdown-toggle').click(); document.querySelector('a[data-target=\"#editBrandModel\"]').click();"

Note: For more complex task and navigation for example to crack captchas, fuzz multi page forms and so many things, it is recommended to use --python option if --javascript fails to solve the particular problem.

Altering, removing & replacing input validation code using `--replace-code`, `--replace-file`, `--auto-remove-javascript`

Note: The --remove-class option is also used for bypassing input validation. See here

The BrowserBruter will remove any HTML based input validation implemented to sanitize the special characters from payloads. But if the input validation logic is custom and implemented using external javascript, we can use --replace-code, --replace-file, --auto-remove-javascript options to disable input validation.

The `--replace-code` option

The --replace-code option will take replace the string with the specified replacement string.

For example here we have a javascript function, which will return false when input contains any special characters

so we can convert this return false into return true to always return true regardless of the input.

--replace-code "return false","return true"

We can replace more than one string by providing data as follows -

--replace-code "replace_me_1","I_will_replace_replace_me_1","replace_me_2","I_will_replace_replace_me_2"

For example in our web goat example above,

 python3 BrowserBruter.py --target http://10.13.37.3:8080/webgoat/start.mvc#attack/1426618575/400 --elements travelFrom,travelTo,radio0,price2Submit --button SUBMIT --attack 1 --payloads fuzz.txt --include-url "http://10.13.37.3:8080/webgoat/attack?Screen=1426618575&menu=400" --cookie ASP.NET_SessionId:fawx1oxcfm0fd4gvzmej5oco,JSESSIONID:5A0B131D432F8E0F832DC958F31AD6D4 --fill radio0 --reload-page --replace-code "return check()","return true" --javascript "
           document.querySelector('#travelFrom').value = 'BOS';
           document.querySelector('#travelTo').value = 'SEA';
           getFlights('http://10.13.37.3:8080/webgoat/attack?Screen=1426618575&menu=400');

we are replacing "return check()" with "return true" to always return true regardless of the input. There is javascript function called check(), which will return either true or false based on the input. If input contains special character then check() function will return false. We have replaced the code where this function is called using return check() with return true to always return true.

The `--replace-file` option

The --replace-file option replaces the target file with alternative file. For example, suppose there is a file called input.js. This file contains code which sanitizes the input. So, as a pentester, you downloads this file from browser, modifies its content to neutralize the sanitization process.

Then using --replace-file option, you replaces the original input.js file with your modified modified-input.js file, you just have to specify the URL of the original input.js file as follows /path/to/file++URL -

--replace-file "modified-input.js"++"http://localhost/assets/js/input.js"

You can replace multiple files at same times by providing them comma separated manner.

For example, consider below example where we are replacing original bootstrap.min.js and jquery-ui.min.js files with our own non-input validating neutralized versions of them -

python3 BrowserBruter.py --buttons-to-press-before-fuzz button1 --elements brandName,brandStatus --payloads fuzz.txt --target http://localhost/brand.php --cookie PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2 --attack 1 --button createBrandBtn --fill brandName,brandStatus --replace-file res/samples/js-files-with-no-input-validation/bootstrap.min.js++http//localhost/assests/bootstrap/bootstrap.min.js,"res/samples/js-files-with-no-input-validation/jquery-ui.min.js"++"http://localhost/assests/jquery-ui/jquery-ui.min.js"

The `--auto-remove-javascript-validation` switch

This is a bullet in the dark kind of shot, where BrowserBruter will try its best to auto remove the javascript validation by overriding common javascript function used in input validation. This may work for small application but most probably failed for medium and large applications. So above two --replace-code and --replace-file approach is recommended.

This switch will override following functions -

```javascript
match()
replace()
test()
inInteger()
inNaN()
```

Hope on to the next section to learn about options of Python Scripting Engine and unleash the full potential of the Browser Bruter.

JavaScript, Navigation & Input Validation

The Javascript and Navigation Handling Options

The Art of Browser Automation using javascript - `--javascript`, `-javascript-after` and `--javascript-file` options

Altering, removing & replacing input validation code using `--replace-code`, `--replace-file`, `--auto-remove-javascript`

The `--replace-code` option

The `--replace-file` option

The `--auto-remove-javascript-validation` switch

results matching ""

No results matching ""

The Javascript and Navigation Handling Options

The Art of Browser Automation using javascript - --javascript, -javascript-after and --javascript-file options

Altering, removing & replacing input validation code using --replace-code, --replace-file, --auto-remove-javascript

The --replace-code option

The --replace-file option

The --auto-remove-javascript-validation switch

results matching ""

No results matching ""

The Art of Browser Automation using javascript - `--javascript`, `-javascript-after` and `--javascript-file` options

Altering, removing & replacing input validation code using `--replace-code`, `--replace-file`, `--auto-remove-javascript`

The `--replace-code` option

The `--replace-file` option

The `--auto-remove-javascript-validation` switch