The Session Handling Options

The BrowserBruter has rich set of options to handle the sessions to fuzz the web pages without any authentication errors -

Session:
  --headers "Auth: 123","CUSTOM_HEADER: VALUE"
                        Comma-separated list of custom headers.
  --cookie name:value,name2:value2
                        Use it to define cookies to be used while sending initial request, cookies should be in name:value:domain comma separated format.
  --force-cookie        Use this switch to force setting of cookies given as argument using --cookie flag regardless of cookies being sent by server.
  --remove-session      Use this switch to remove session data and cookies after each request-response cycle.

Note: The Authentication and login can also be done manually by running the BrowserBruter using either --pause or --interactive switches. Learn more here.

Adding custom HTTP request headers using --headers option

The --headers options can be used to add custom headers into HTTP requests before sending them to server.

This is most helpful to add the Auth headers which might contains API tokens or JWT tokens.

Although, this can also be used to add headers which are not related to session or authentication at all.

It takes comma separated list of headers to be added in HTTP requests as follows-

python3 BrowserBruter.py --elements username,password --payloads fuzz.txt --target http://localhost/login1.php --button btn-default --attack 1 --fill username,password --headers "Auth: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c","CustomHeaderKey: CustomHeaderValue" --interactive --verbose

Here is the live demonstration of above sample command -

As highlighted here, the JWT token and other custom token is added to the HTTP request. This allows the fuzz the web forms as authenticated.

Adding Cookies using --cookie option

The --cookie option can be used to add custom cookies in the browser instance. This is useful in adding Authentication related cookies and other cookies as per requirements.

The --cookie option takes cookies in comma separated list of key:value pairs as shown below -

python3 BrowserBruter.py --buttons-to-press-before-fuzz button1 --elements brandName,brandStatus --payloads fuzz.txt --target http://localhost/brand.php --attack 1 --button createBrandBtn --fill brandName,brandStatus --cookie PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2,cookie2:value2

Here we are fuzzing the Add Brand functionality of the Stock Management System while being authenticated by supplying --cookie PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2.

Here is a live demonstration of above sample command -

Resetting the browser cookies using --force-cookie switch

The --force-cookie switch will reset the cookie supplied using --cookie option at each new fuzz attempt.

There are scenarios where server might override the values initially set using --cookie option, in such scenarios if you want the cookie values to be exact as they were when supplied with --cookie option, use this switch as shown below -

python3 BrowserBruter.py --buttons-to-press-before-fuzz button1 --elements brandName,brandStatus --payloads fuzz.txt --target http://localhost/brand.php --attack 1 --button createBrandBtn --fill brandName,brandStatus --cookie PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2,cookie2:value2 --force-cookie

This will force browser to always use ujmrvhk6esu84l8r2i2h2ee7f2 value for PHPSESSID cookie and value2 for cookie2 cookie.

Clearing session data using --remove-session

The --remove-session switch will force BrowserBruter to clear all session storage from browser before each fuzz attempt. Meaning all the cookies will be cleared off before making new fuzzing attempt.

This is most useful when fuzzing Login pages, as in case of successful authentication, the server might set auth cookies in browser which might redirect browser from target page to some other page, causing issues in fuzzing process and eventually leading to crash.

Here is a live example of use case of this switch. Here we will bruteforce login page of Stock Management System, first without --remove-session then using --remove-session -

python3 BrowserBruter.py --elements-payloads username:usernames.txt,password:passwords.txt --button btn-default --target http://localhost/login1.php --attack 4

Without --remove-session switch

As can be seen above, after successful login, the BrowserBruter got stuck. So if you don't want this and test the remaining payloads, use --remove-session switch as shown below -

With --remove-session switch

As we can see above, even after successful login, the attack does not stopped.

That is not all, this switch can also be combined with --force-cookie to reset the initial cookie values and clearing cookies set by server.

python3 BrowserBruter.py --buttons-to-press-before-fuzz button1 --elements brandName,brandStatus --payloads fuzz.txt --target http://localhost/brand.php --attack 1 --button createBrandBtn --fill brandName,brandStatus --cookie PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2 --force-cookie --remove-session

This is what will happen when above sample command is used -

1. The BrowserBruter will set cookie PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2 at first fuzzing attempt.
2. On second iteration of fuzzing, the BrowserBruter will clear all cookies from browser and reset the PHPSESSID:ujmrvhk6esu84l8r2i2h2ee7f2 cookie.

Hope on to the next section to learn about JavaScript & Session Handling options.