Jawfish: Self-modifying Pentest tool

Back in 2013, Soen-Vanned discussed problems with finding exploits in web applications. Soen’s main problem was that tools with web vulnerability scanner were too signature based. His solution was too use genetic algorithms which can be roughly defined as algorithms that “exploit historical information to direct the search into the region of better performance within the search space.” To utilize this, Soen created a forced evolution – a small python program that in his own words:

  1. Creates a large number of exploit strings
  2. While solution/goal != found
  • Score all of the strings’ performance using a fitness
  • function
  • Cull the weak performing
  • Breed the strong performing
  • Mutate the strings randomly
  1. Display the exploit string that solved the solution

Two years later a GitHub user named Gingeleski did not want to see the project abandoned and have the source code rot away on GitHub. This happens all too often – security researchers have full time jobs and cannot always continue developing interesting open source projects, especially if it only fits a niche role in the information security world.

Gingeleski decided to migrate the code to flask and design a web interface to replace the command line interface. Dubbing the repository & project JawFish, the source code and alpha version were released on May 23rd here.

Security tools and researchers are greatly limited by signature based analysis and having a penetration tool with self-modifying functionality open to the public could be a great boon to the InfoSec and academic communities. Typically the security tools that have functionality like this are quite expensive and way beyond the budget of many security researchers.

Soen recommended that anyone who wanted to use the forced evolution source code donate to the electronic frontier foundation or could help Gingeleski further develop the project as there is still a lot of room to grow (personally I would love .Net or DLL injection functionality). Either way, if you’re a web application tester or a hobbyist, take some time to play around with JawFish. After all, the only way these projects survive is through community involvement.