SkillAgentSearch skills...

BurpContextAwareFuzzer

BurpSuite's payload-generation extension aiming at applying fuzzed test-cases depending on the type of payload (integer, string, path; JSON; XML; GWT; binary) and following encoding-scheme applied originally.

GenerateConvertImprove

Install / Use

/learn @mgeeky/BurpContextAwareFuzzer
About this skill

Quality Score

0/100

Supported Platforms

Zed

README

burpContextAwareFuzzer (THIS PROJECT IS NO LONGER MAINTAINED)

BurpSuite's payload-generation extension aiming at applying fuzzed test-cases depending on the type of payload (basic like integer, string, path; JSON; XML; GWT; binary) and following encoding-scheme applied.

The project is just starting, so there are might be many issues, glitches and areas to improve.

How does it work?

diagram

Oh, by the way - this is how XML Fuzzing could look like:

fuzzing

Features

This extension is an answer to a generic problem while using BurpSuite's Intruder tool: what kind of payload am I dealing with, how it has been encoded, what test-cases to generate upon it and re-encode it to proper form?

Before having that, a penetration tester would have to script his own proxy script (and/or extension) to cover appp various encodings that were not supported by BurpSuite (like ZLIB).

Now, in order to accomplish the same task, one can use that extension, which implements following features:

Payload type detection

The extension has to detect with what kind of payload is it dealing with at the moment:

  • Basic type, like: Integer, Float, Path, String
  • JSON = XML
  • GWT (to be implemented)
  • unknown binary data (to be implemented)
  • Some serialized stream (to be implemented)

Having detected type of the payload, the extension will leverage that information to generate proper (according to the context) edge-case values, like integer overflows, path-traversal mutations and so on. Also, having JSON or XML object - it will iterate over it recursively, generaring along the way fuzz values for every parameter or attribute met.

This makes the extension a powerful companion while dealing with severly encoded JSON/XML payloads, making it possible to fuzz them without a hassle.

Encoding detection and re-encoding

There are many situations in which the application is using some kind of encoding to pass around it's parameters. Among the others, the application may use:

  • Base64 and Bas64 URL safe
  • Hex encoding
  • URL Encoding
  • JWT
  • ZLIB
  • combination of them

For instance, there might be payload like: SGVsbG9Xb3JsZA%3d%3d that is a result of URLEncode(Base64('HelloWorld')). In order to get to the inner string, the fuzzer would have to peel of those encodings - mutate the value, and re-apply encodings in reversed order.

For this purpose, the extension will use following gist.

Installation and Usage

Installation

In order to install that extension - download the *.py file, then in Extender->Extension select Add. Then specify that extension is of type Python (you will have to install Jython first ).

Then, in your command line - install Jython requistities:

On windows:

cmd> java -cp jython.jar org.python.util.jython -m ensurepip
cmd> java -cp jython.jar org.python.util.jython -m ensurepip --upgrade
cmd> java -cp jython.jar org.python.util.jython
Jython 2.7.1b3 (default:df42d5d6be04, Feb 3 2016, 03:22:46)
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)] on  java1.8.0_144
Type "help", "copyright", "credits" or "license" for more information.
>>> try:
...     from pip import main as pipmain
... except:
...     from pip._internal import main as pipmain
...
>>> pipmain(['install', '--upgrade', 'pip'])
>>> pipmain(['install', 'anytree'])
>>> pipmain(['install', 'pyjwt'])

On linux:

Try the same as for Windows.

(in case pip fails: try looking for packages like python2-pyjwt ).

Usage

This is a Payload Generation, so it comes into play in Intruder->Payloads->Payload Type->Extension-generated->Selected generator->Context-Aware Fuzzer . Having it specified as your payload-generator, you can start the attack and watch the payloads being mutated.

There are 5 different level of fuzzing intensity implemented, each of them differs in number of test-cases to use per one parameter. Figures are following:

  • Minimal: +/- 50 requests/parameter
  • Low: +/- 100-130 r/p
  • Medium: +/- 150-240 r/p
  • High: +/- 180-440 r/p
  • Extreme: +/- 260-750 r/p

Those figures scale up when the fuzzer is being given with for instance JSON or XML object, having N attributes and nodes.

KNOWN BUGS / LIMITATIONS:

  1. At the moment XML payloads fuzzing has been disabled since there is a problem with Jython's ElementTree implementation, that is implemented in Xerces SAXParser. Refer to: sax2-driver-class-org-apache-xercer-parses-saxparser-not-found

If you think the problem is solved, refer to ContextAwareFuzzer.__init__() and uncomment XMLTypeFuzzer() in self.typeHandlers.

  1. Hardcoded fuzz entries list are to be further optimized and tested since they are crucial to number of input test-cases to generate, and thus directly affect fuzzer's performance.

  2. The fuzzer itself could benefit from more intelligent test-cases generation patterns that have been implemented so far (mostly very generic and simple ones, like bit flipping or cutting parameters in half).

mgeeky

View profile

View on GitHub
GitHub Stars40
CategoryDevelopment
Updated6mo ago
Forks15
mgeeky/burpContextAwareFuzzer

Languages

Python

Security Score

87/100

Audited on Aug 29, 2025

No findings