Fuzzing The Un-Fuzzable Using Debugging and Browser Bruter — Part 1

By Jafar Pathan - April 2025

18 min read

image

The Problem Statement Solved by Browser Bruter

We are unable to fuzz web application whose HTTP body is encrypted, preventing us from fuzzing them directly using traditional methods.

To address this, we developed the Browser Bruter tool, which allows us to fuzz web applications directly. Read more here.

The Problem Introduced by Browser Bruter

However, this solution introduces a new problem. As the complexity of the web application increases (due to dynamic elements, UI, and front-end input validation), the Browser Bruter becomes less efficient. We refer to this as the Curse of Front-End.

To illustrate this issue, I will demonstrate fuzzing a complex web form using Browser Bruter.

A Curse of Front-End

First, let’s analyze our target to better understand what we are dealing with. Below is the target form we will fuzz using Browser Bruter.

image-1

It is a form used to add or create a project. It is complex and contains dozens of options. Let’s review them one by one.

image-2

The first three options are:

  1. Project Name
  2. Project Short Name
  3. Project Description

image-3

The next three options are:

  1. Organization
  2. Network Placement
  3. Creation Date

image-4

image-5

Next, there are various numerical values specifying some sort of range. Finally, there are two switches and a Submit button at the top of the page.

image-6

Let’s enter some random values, fill out the form, and submit it to observe the HTTP traffic.

image-7

After filling out the form, I will click the Submit button, as shown in the image above.

image-8

The image above shows the HTTP request of the form we submitted earlier. We can observe that the traffic is encrypted and non-human-readable, making it extremely difficult or nearly impossible to fuzz this web form using traditional methods (e.g., raw Burp Intruder).

In this scenario, we must use Browser Bruter to fuzz the form. But there’s a twist.

image-9

First of all, as we can see, the input fields do not have any id or name attributes that we can supply to Browser Bruter for fuzzing. Although they have class attributes, the class values are shared by other elements, making them unusable for uniquely identifying the target elements.

Thus, the first issue is encryption, which is why we are using Browser Bruter. However, when using Browser Bruter, we encounter our first roadblock: element identification.

Fortunately, Browser Bruter has a feature to handle this — the ++ operator in the --elements option.

In this case, we can use ++ as follows to identify the element:

--elements projectName++formcontrolname

And voilà! Browser Bruter will easily identify the element and successfully fuzz it.

Both the Project Short Name and Project Description elements also have the formcontrolname attribute, so their syntax will be:

projectShortName++formcontrolname,projectDesc++formcontrolname

image-10

The Creation Date element has a name attribute (name="dp"), so we don't need to use the ++ operator to specify a custom identifier.

So far, our --elements command line has been built as follows:

--elements projectName++formcontrolname,projectShortName++formcontrolname,projectDesc++formcontrolname,dp

image-11

The numerical fields also have the formcontrolname attribute. Let me add them to our command as well:

--elements projectName++formcontrolname,projectShortName++formcontrolname,projectDesc++formcontrolname,dp,infoMin++formcontrolname,infoMax++formcontrolname,lowMin++formcontrolname,lowMax++formcontrolname,mediumMin++formcontrolname,mediumMax++formcontrolname,highMin++formcontrolname,highMax++formcontrolname,criticalMin++formcontrolname,criticalMax++formcontrolname

The Organization and Network Placement are exceptions.