[Owasp-JBroFuzz] fuzzing AMF

Yiannis Pavlosoglou yiannis at owasp.org
Mon Sep 27 05:25:42 EDT 2010


Hi Juraj,

Unfortunately, there is nothing in the roadmap of JBroFuzz regarding
actual support of fuzzing AMF actionscript messages on the wire. This
is the first such request that we are receiving. If we do get more
requests like this, we would have to reconsider.

Having said that, provided you settle on your particular method of
choice for putting AMF actionscript messages on the wire, you can you
use the java APIs that JBroFuzz offers for more advanced fuzzing.
Examples of this can be found at:
http://www.owasp.org/index.php/OWASP_JBroFuzz_Tutorial#How_to_Use_JBroFuzz_as_a_Fuzzing_Library

The reporting functionality should be easy to replicate even if the
fuzzing data request and responses. You just need to place individual
numbered files in a directory where jbrofuzz saves fuzzing data. Each
file needs to follow the format below (comments start with <-
comment):

<!--
720 <- response time in ms
--
200 <- status code received back
--
BST-2010-09-27-10-12-58-061
--
0000000002 <- file name
--
http://www.bbc.co.uk
--
0
--
GET / HTTP/1.0
Host: www.bbc.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB;
rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
JBroFuzz/2.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close



--
--jbrofuzz--> <- response starts below this comment
HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Cache-Control: max-age=60, private
Content-Type: text/html
Date: Mon, 27 Sep 2010 09:12:57 GMT
Etag: "1285578777"
Connection: close
Set-Cookie: BBC-UID=d4fc2a60661051f928bdd80530706c967e28f20c00d0f0ec32e913dfd9f2ac5f0Mozilla%2f5%2e0%20%28Windows%3b%20U%3b%20Windows%20NT%206%2e0%3b%20en%2dGB%3b%20rv%3a1%2e9%2e0%2e10%29%20Gecko%2f2009042316%20Firefox%2f3%2e0%2e10%20%28%2eNET%20CLR%203%2e5%2e30729%29%20JBroFuzz%2f2%2e4;
expires=Fri, 26-Sep-14 09:12:57 GMT; path=/; domain=bbc.co.uk;

<!DOCTYPE html PUBLIC "-

Also on the cc, Jon Rose, for visibility within OWASP.

Hope the above is of value!

Thank you,

Yiannis

On 26 September 2010 11:57, Juraj Bednar <asterisk4juraj at gmail.com> wrote:
> Hello,
>
>    I've seen a lot of applications using AMF (binary format for
> encoding data structures).
> This is used mainly by Adobe Flash/Flex clients, although it is a
> generic format for encoding
> data structures. There are basic tools like deblaze, which does pretty
> good job in method
> enumeration: http://deblaze-tool.appspot.com/.
>
>     Also BurpSuite supports decoding and changing AMF, but no
> fuzzing. I am wondering,
> if anyone has been thinking about implementing AMF support into
> JBroFuzz. Being a binary
> format, it requires special support (it is not possible to just
> replace parts in the middle of
> the request). But there are pretty good libraries, which are
> open-source and it would be
> possible to do this very easily.
>
>     Currently, I am doing this by fuzzing manually for a particular
> application. The reporting
> capabilities of JBroFuzz would be a great upgrade though. Is it
> possible to use a third party
> fuzzer and just somehow see the results in JBroFuzz while there's no
> AMF support directly
> in JBroFuzz?
>
>        Thank you,
>
>             Juraj.
> _______________________________________________
> owasp-jbrofuzz mailing list
> owasp-jbrofuzz at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-jbrofuzz
>


More information about the owasp-jbrofuzz mailing list