Skip to main content

Web application fuzzer that automatically detects and fuzzes data in HTTP requests

Project description


Web application fuzzer that automatically detects and fuzzes the following data in HTTP requests:

  • URL directories
  • URL parameters
  • Cookies
  • Form data
  • JSON data


Example usage

The starting point of fuzzing can be a raw HTTP request or OWASP ZAP message export. Every individual field will be fuzzed in a separate section and the results are shown on screen. The performed requests and received responses are stored by default in a folder called asdfuzz_output/ for later reference. To skip a section while the fuzzer is already running, press [control]+[spacebar].

Individual fields in JSON data will be fuzzed recursively. If base64-urlencoded JSON data is present in parameters or cookies, this data will be fuzzed recursively as well.


Usage: python -m asdfuzz [OPTIONS]

  --filename PATH                 File containing a single HTTP request to
  --zap-export PATH               File containing one or multiple HTTP
                                  requests to fuzz in OWASP ZAP message export
  --wordlist-file PATH            File containing the wordlist used for
                                  fuzzing. A default wordlist is used if this
                                  parameter is empty. In the wordlist, use
                                  template <original> to refer dynamically to
                                  the value in the original request.
  --port INTEGER                  Port used for the connection.  [default:
  --https / --no-https            Use HTTPS.  [default: https]
  --filter-hostname-endswith TEXT
                                  Only keep requests ending with this
  --delay-seconds FLOAT           Seconds of delay between requests.
                                  [default: 0]
  --directories / --no-directories
                                  Fuzz directories in the URL.  [default:
  --parameters / --no-parameters  Fuzz values of parameters in the URL.
                                  [default: parameters]
  --cookies / --no-cookies        Fuzz the values of cookies.  [default: no-
  --form-data / --no-form-data    Fuzz the values of HTTP form data.
                                  [default: form-data]
  --json-data / --no-json-data    Fuzz the values of JSON data.  [default:
  --confirmation / --no-confirmation
                                  Enter the interactive menu.  [default:
  --output-directory PATH         Directory where the fuzzed requests and
                                  responses will be stored.  [default:
  --debug / --no-debug            Enable debug mode.  [default: no-debug]
  --help                          Show this message and exit.


Releases are made available on PyPi. The recommended installation method is via pip:

python -m pip install asdfuzz

For a development setup, the requirements are in dev-requirements.txt. Subsequently, this repo can be locally pip-installed. Developer documentation is provided here.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

asdfuzz-0.0.1.tar.gz (18.4 kB view hashes)

Uploaded Source

Built Distribution

asdfuzz-0.0.1-py3-none-any.whl (23.5 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page