JBroFuzz v2.0 released

JBroFuzz is a web application fuzzer for requests being made over HTTP and/or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities.

Version 2.0

  • User basic authentication supported and updated headers to show 2.0 release
  • Fixed preferences bug.
  • Added Authorization header option in UI, under URL Encoding
  • Created a Verifier for .jbrf files
  • Fixed a small mistake in EncoderHashFrame.java
  • Implemented a Cross Product Fuzzer within core/CrossProductFuzzer.java
  • Introduced PowerFuzzer.java, DoubleFuzzer.java and fixed the directory location preferences.
  • Fixed Graphing Tab, right click menu
  • Arrayedified preferences, fixed maximum frame size, extracted all icons in a /icons folder.
  • EncoderHashFrame.java binded keys changed to alt+enter to encode and alt+backspace to decode
  • Split org.owasp.jbrofuzz.encode to core and UI
  • Added more documentation within the help topics about fuzzing
  • Added print functionality to keyboard shortcuts
  • Added keyboard shortcuts
  • Fixed the category of SQL Injection
  • Updated INSTALL, README files, converted jbrofuzz.sh to unix format

The components of JBroFuzz are all integrated into a single window and can be accessed through individual tabs. These tabs are:


  • The fuzzing tab is the main tab of JBroFuzz, responsible for all fuzzing operations performed over the network. Depending on the fuzzer payloads selected, it creates the malformed data for each request, puts it on the wire and writes the response to a file.


  • The graphing tab is responsible for graphing (in a variety of forms) the responses received while fuzzing. This tab can offer a clear indication of a response that is different then the rest received, an indication of further examination being required.


  • The payloads tab is a collection of fuzzers with their corresponding payloads that can be used while fuzzing. Payloads are added to the request in the fuzzing tab; a more clear view of what payloads are available, how they are grouped and what properties each fuzzer has can be seen in this tab.


  • The headers tab is a collection of browser headers that can be used while fuzzing. Headers are obtained from different browsers on different platforms and operating systems. This tab is provided, as many web applications respond differently to different browser impersonation attacks.


  • The system tab represents the logging console of JBroFuzz at runtime. Here you can access java runtime information, see any errors that might occur and also track operation in terms of events being logged.
JPEG - 22.3 kb

"If you can’t fuzz with JBroFuzz, you probably do not want to fuzz!"
For more information, about this tool see: JBroFuzz Tutorial and the official web

JBroFuzz is written in Java and requires a 1.6 JRE/JDK (or higher) installed, to run. It is constituted of less than 70 classes, using, in total, 10 external libraries. It builds under Apache Ant.

More information: here

Post scriptum


Related Articles