JBroFuzz v2.1 released

JBroFuzz is a web application fuzzer for requests being made over HTTP and/or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities.

Release Notes (2.1):

  • Ctrl + M to load your own fuzzers from a .jbrf file
  • Removed the default addition of line feeds at the end of each request, make sure you know what you are fuzzing!
  • On The Wire: Right-click, clear & also option to select to see requests and/or responses
  • Added ASCII 85 (045-A85-RFC) & printable ASCII 94 (046-A94-CHR) fuzzers.
  • Base32 and zBase32 Encode/Decode functionality added
  • JBroFuzz now logs into daily log (thnx Ranulf!)
  • You can load your custom payloads by placing a file called fuzzers.jbrf within your working directory.
  • Added 3 new file extension fuzzers (thnx Adam)
JPEG - 49.8 kb

The components of JBroFuzz are all integrated into a single window and can be accessed through individual tabs. These tabs are:


  • The fuzzing tab is the main tab of JBroFuzz, responsible for all fuzzing operations performed over the network. Depending on the fuzzer payloads selected, it creates the malformed data for each request, puts it on the wire and writes the response to a file.


  • The graphing tab is responsible for graphing (in a variety of forms) the responses received while fuzzing. This tab can offer a clear indication of a response that is different then the rest received, an indication of further examination being required.


  • The payloads tab is a collection of fuzzers with their corresponding payloads that can be used while fuzzing. Payloads are added to the request in the fuzzing tab; a more clear view of what payloads are available, how they are grouped and what properties each fuzzer has can be seen in this tab.


  • The headers tab is a collection of browser headers that can be used while fuzzing. Headers are obtained from different browsers on different platforms and operating systems. This tab is provided, as many web applications respond differently to different browser impersonation attacks.


  • The system tab represents the logging console of JBroFuzz at runtime. Here you can access java runtime information, see any errors that might occur and also track operation in terms of events being logged.

"If you can’t fuzz with JBroFuzz, you probably do not want to fuzz!"
For more information, about this tool see: JBroFuzz Tutorial and the official web

JBroFuzz is written in Java and requires a 1.6 JRE/JDK (or higher) installed, to run. It is constituted of less than 70 classes, using, in total, 10 external libraries. It builds under Apache Ant.

More information: here

Update submitted by Sebastien Gioria