Skip to content

BrowserBruter is a powerful web form fuzzing automation tool designed for web security professionals and penetration testers. This Python-based tool leverages Selenium and Selenium-Wire to automate web form fuzzing, making it easier to identify potential vulnerabilities in web applications.

License

Notifications You must be signed in to change notification settings

R4GN4R0K-SEC/BrowserBruter

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

The Browser-Bruter

banner

The Browser-Bruter is first ever browser based automated web pentesting tool for fuzzing web forms by controlling the browser it self. It automates the process of sending payloads to input fields of browser and sends them too server. It completely bypasses the need of breaking the encryption in order to fuzz and insert payloads in BurpSuite scanner and intruder. After fuzzing it generates a comprehensive report including all the data and result of the pentest along with HTTP traffic, this report can be viewed by The Report-Explorer tool which comes with The Browser-Bruter.

Handcrafted in India 🇮🇳

pse2

Please refer to this for Proof of Concept of our claims - https://net-square.com/browserbruter/WhyWeNeedBrowserBruter/

Proof Of Concept

HTTP Manipulation ineffective due to Encryption

https://net-square.com/browserbruter/img/need-1.mp4

Trying to find SQLInjection using SQLMAP

https://net-square.com/browserbruter/img/sqlmap.mp4

Trying to find SQLInjection using BurpSuite

https://net-square.com/browserbruter/img/burp-scan.mp4

BruteForcing login page using FFUF

https://net-square.com/browserbruter/img/ffuf-1-video.mp4

Finding SQL Injection which can not be found in other tools using The Browser Bruter

https://net-square.com/browserbruter/img/sql-injection.mp4

BruteForcing Login page using The Browser Bruter

https://net-square.com/browserbruter/img/brute-force-login-1.mp4

Please refer official documentation for installation and to learn how to use, It is highly recommended. You can find the official documentation - https://net-square.com/browserbruter/

Table of Contents

What it does?

The biggest advantage of using browser bruter for fuzzing the web application is that all of the fuzzing will take place at browser level, so all of the attack will be as they have been manually done by the user by typing payloads in the input fields of the web application on browser.

This approach -

  • Allows Pentester to fuzz the web application forms when the HTTP body (or part of the body) is encrypted making HTTP proxy tools like ZAP and BurpSuite or SQLMap unable to insert payloads in such traffic. Learn more here.

  • Creates a way to bypass captchas by allowing the pentester to manually perform the required human interactions and then proceed to payload insertions.

  • Can fuzz front-end when there is no HTTP traffic, for example when Input is utilized on the client side, i.e. when you want to brute force OTP input which is validated on the client side, so there is no HTTP Traffic.

  • Removes the burden of session management, auth handling and other micro management like CSRF handling while using HTTP proxy tools.

console console

Prerequisites

  • Linux
  • Python3

Quick Installation

Requires following python packages:

  • selenium
  • selenium-wire
  • webdriver_manager
  • ttkthemes
  • pytimedinput
  • colorama
  • beautifulsoup4
  • undetected-chromedriver
  • requests
  • pandas
  • tqdm

Tested on latest version (as of March 2024) of each package.

  1. Download and install Python3
  2. Download the latest release from releases.
  3. Unzip the archive.
  4. Run pip3 install -r requirements.txt
  5. Done

Refer documentation for detailed installation guide. - https://net-square.com/browserbruter/SetupInstallation/

Test Lab for BrowserBruter

The Lab shown in documentation can be setup using docker as follows-

  1. Download and run the docker image - sudo docker run --rm -p 80:80 hpandro/vims
  2. Start the MySQL service using following -
    1. First copy the container id using sudo docker container ls -a
    2. Then start the service using sudo docker exec -it [containerid] service mysql start Navigate to http://localhost/ to test site.

Working Flow Overview

image

Features

Contributing

BrowserBruter is an open-source project, and we welcome contributions from the community. If you would like to contribute to BrowserBruter, you can do so in several ways:

  • GitHub Repository: The source code for BrowserBruter is hosted on GitHub. You can contribute by forking the repository, making your changes, and submitting a pull request. Contributions can include bug fixes, new features, documentation improvements, or any other enhancements.

  • Reporting Issues: If you encounter a bug or issue while using BrowserBruter, please report it on the GitHub issue tracker. Include as much detail as possible, such as steps to reproduce the issue and your environment details.

  • Feature Requests: If you have a feature request or idea for improving BrowserBruter, you can submit it on the GitHub issue tracker. We welcome feedback and suggestions from the community.

  • Documentation: Improving the documentation is another valuable way to contribute. If you find any errors or gaps in the documentation, you can submit a pull request to update it.

  • Spread the Word: You can also contribute by spreading the word about BrowserBruter. Share it with your friends, colleagues, or on social media to help grow the user community.

Thank you for considering contributing to BrowserBruter. Your support is greatly appreciated!

Contact

License

This project is licensed under the MPL license

Legal Warning

This Browser-Bruter open-source penetration testing tool as well as the documentation is Copyrighted Property of Net-Square Solutions PVT LTD. provided for educational and ethical purposes only. Users are solely responsible for ensuring compliance with all applicable laws and regulations, and the developer(s) disclaim any liability for misuse or damage caused by the tool.

About

BrowserBruter is a powerful web form fuzzing automation tool designed for web security professionals and penetration testers. This Python-based tool leverages Selenium and Selenium-Wire to automate web form fuzzing, making it easier to identify potential vulnerabilities in web applications.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 90.3%
  • JavaScript 5.5%
  • HTML 4.2%