Mobile Application Fuzzer via SSL MITM
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
certs HTTP/HTTP Proxy and HTTPS Connect Support Added Apr 22, 2013
config json content is redirecting json_actions in analyse_content method Jun 9, 2013
docs
fuzz_content Fuzzing Contens fixes #4 May 1, 2013
fuzz_templates Directories Feb 26, 2013
lib Support for request mangling and fuzzing fixed #7 Jun 10, 2013
AUTHORS test branch synronized master branch May 20, 2013
CHANGELOG test branch synronized master branch May 20, 2013
LICENSE test branch synronized master branch May 20, 2013
README.md update README.md Jun 13, 2013
mbfuzzer.rb load file code line is changed in mbfuzzer file Jun 12, 2013

README.md

Mobile Application Fuzzer via SSL MITM (mbfuzzer)

Development Platform : Ruby 2.0

MBFuzzer will be developed for MITM (Man in the Middle) Fuzzing. Mobile applications use HTTP, SOAP, XML and JSON based data streams for communicate the servers. Many mobile applications use SSL Connect method for server communication. This method should be converted to HTTPS GET/POST method for MITM attacks. MBFuzzer will provide HTTP/HTTPS Proxy functionality and Real-Time Fuzzing feature with HTTP Connect conversion support.

Features

  • HTTP/HTTP Proxy Support
  • HTTPS Connect Conversion Support (not fully functional)
  • On-The-Fly Valid SSL certificate generation for target server (Under
  • Development)
  • Real-Time Response/Request Fuzzing Support
  • Fake Service Installation via XML/JSON Templates (Under Development)
  • Supports Different Injection Payloads using Templates

Inspired Projects

Project Team Requirements

  • Good Understanding of SSL/TLS Technology
  • Ruby Development Skills
  • JSON & XML Knowledge
  • Fuzzing Knowledge

Installation

  • Please make sure that your system has necessary packages installed before installation.
  • For development platform Ruby in Ubuntu: sudo apt-get install ruby1.9.3
  • Also XmlSimple library is necessary: gem install xml-simple
  • git clone git@github.com:YakindanEgitim/mbfuzzer.git

Fuzzing Templates

Search & Replace

Purpose of the search & replace structure is finding target element name and changing value of the element according to url. The url field could be any key in the url instead of whole address.

<searchreplace>
    <url> [target url address] </url>
    <target> [element name ] </target>
    <newdata> [replaced data] </newdata>
</searchreplace>

Big Data Entry

Big Data Entry structure aims that applying big character set inorder to give vulnerability information with using data and count tags by element name. Url feature is the same like search and replace structure.

<bigdata>
    <url> [target url address] </url>
    <name> [element name] </name>
    <data> [repeated data] </data>
    <count> [number of repetitions] </count>
</bigdata>

Usage

  • Before starting MBFuzzer, mbconfig.cfg file, which is in config directory, should be updated with using fuzzing templates under MBFuzzer tag.

  • MBFuzzer requires proxy address & port number in starting.

  • By default, it is running on address 127.0.0.1 & port 8080.

  • Running command of MBFuzzer Project:

     `ruby mbfuzzer.rb [address] [port]`