Web application fuzzer that automatically detects and fuzzes data in HTTP requests
Project description
asdfuzz
Web application fuzzer that automatically detects and fuzzes the following data in HTTP requests:
- URL directories
- URL parameters
- Cookies
- Form data
- JSON data
Example
The starting point of fuzzing can be a raw HTTP request or OWASP ZAP message export.
Every individual field will be fuzzed in a separate section and the results are shown on screen.
The performed requests and received responses are stored by default in a folder called asdfuzz_output/ for later reference.
To skip a section while the fuzzer is already running, press [control]+[spacebar].
Individual fields in JSON data will be fuzzed recursively. If base64-urlencoded JSON is present in parameters or cookies, this data will be fuzzed recursively as well.
Usage
Usage: python -m asdfuzz [OPTIONS]
Options:
--filename PATH File containing a single HTTP request to
fuzz.
--zap-export PATH File containing one or multiple HTTP
requests to fuzz in OWASP ZAP message export
format.
--wordlist-file PATH File containing the wordlist used for
fuzzing. A default wordlist is used if this
parameter is empty. In the wordlist, use
template <original> to refer dynamically to
the value in the original request.
--port INTEGER Port used for the connection. [default:
443]
--https / --no-https Use HTTPS. [default: https]
--filter-hostname-endswith TEXT
Only keep requests ending with this
hostname.
--delay-seconds FLOAT Seconds of delay between requests.
[default: 0]
--directories / --no-directories
Fuzz directories in the URL. [default:
directories]
--parameters / --no-parameters Fuzz values of parameters in the URL.
[default: parameters]
--cookies / --no-cookies Fuzz the values of cookies. [default: no-
cookies]
--form-data / --no-form-data Fuzz the values of HTTP form data.
[default: form-data]
--json-data / --no-json-data Fuzz the values of JSON data. [default:
json-data]
--confirmation / --no-confirmation
Enter the interactive menu. [default:
confirmation]
--output-directory PATH Directory where the fuzzed requests and
responses will be stored. [default:
asdfuzz_output]
--debug / --no-debug Enable debug mode. [default: no-debug]
--help Show this message and exit.
Installation
Releases are made available on PyPi.
The recommended installation method is via pip:
python -m pip install asdfuzz
For a development setup, the requirements are in dev-requirements.txt.
Subsequently, this repo can be locally pip-installed.
Developer documentation is provided here.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file asdfuzz-0.0.0.tar.gz.
File metadata
- Download URL: asdfuzz-0.0.0.tar.gz
- Upload date:
- Size: 18.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.7.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7ee0da7e8c6ca9573cce333d4009bf29f88647595761b814939fdfd77619cfb0 |
|
| MD5 | 053f9f00d3c62d393ef49ad98e66aad5 |
|
| BLAKE2b-256 | 3518598b4a06a44f97e401fa147d242a1fe10d0b4fd240899eff6ef31fac83c8 |
File details
Details for the file asdfuzz-0.0.0-py3-none-any.whl.
File metadata
- Download URL: asdfuzz-0.0.0-py3-none-any.whl
- Upload date:
- Size: 22.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.7.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 91f02096de3180f20c23f234bd355e32c5e943eb46344bcf35021ddcdf80c830 |
|
| MD5 | f3bd208bb4388188b120db05b3e5c876 |
|
| BLAKE2b-256 | b530e77fada26cf3cff066830a2ea88ab6dd5683cf459fa44305938e709eb102 |
