Skip to main content

A Python3 module to assist in fuzzing web applications

Project description

Py3webFuzz

made--python

';-- Python Web Fuzzing module Library

Python3 Module Compatible
Awesome

Author

Contributors

  • Nathan Hamiel @nathanhamiel

DESCRIPTION

Based on pywebfuzz, Py3webfuzz is a Python3 module to assist in the identification of vulnerabilities in web applications, Web Services through brute force, fuzzing and analysis. The module does this by providing common testing values, generators and other utilities that would be helpful when fuzzing web applications, API endpoints and developing web exploits.

py3webfuzz has the fuzzdb and some other miscellaneous sources implemented in Python classes, methods and functions for ease of use. fuzzdb project is just a collection of values for testing. The point is to provide a pretty good selection of values from fuzzdb project and some others sources, cleaned up and available through Python3 classes, methods and namespaces. This makes it easier and handy when the time comes up to use these values in your own exploits and PoC.

Effort was made to match the names up similarly to the folders and values from the latest fuzzdb project. This effort can sometimes make for some ugly looking namespaces. This balance was struck so that familiarity with the fuzzdb project would cross over into the Python code. The exceptions come in with the replacement of hyphens with underscores.

INSTALLATION

Installation can be done in a couple of ways. If you want use virtual environment

Option 1

  • Using pip
$ sudo apt-get install python3-venv

Create a folder for your "venv", go to the directory and execute the following command

 $ python3 -m venv venv

Upgrade, Activate PIP and Install

$ python3 -m pip install --upgrade pip
$ source venv/bin/activate
$ pip3 install py3webfuzz

You should be able to go.

Option 2

You can run the supplied setup.py with the install command

 $  setup.py install

You can also use easy_install if that's what you do to manage your installed packages

 $ easy_install py3webfuzz_VERSION.tar.gz

You can also point to the location where the tar.gz lives on the web

 $ easy_install URL_package

Uploading this module to the Python Package Index. At that point you should be able to just type

 $ easy_install py3webfuzz

Use in your Code

  • Some test cases can be found within info sub folder
# Accessing SQLi values and encode them for further use 
# Import Library
from py3webfuzz import fuzzdb
from py3webfuzz import utils, encoderFuncs
# Instantiate a Class Object that give you access to a set of SQLi values
sqli_detect_payload = fuzzdb.Attack.AttackPayloads.SQLi.Detect()
# Getting Access to those values through a list
for index, payload in enumerate(sqli_detect_payload.Generic_SQLI):
    print(f"Payload: {index} Value: {payload}")
    # Using encoderFuncs you can get different handy encodings to develop exploits
    print(f"SQLi Char Encode: {encoderFuncs.sqlchar_encode(payload)}")
# Send HTTP request to your target
# Import Library
from py3webfuzz import utils
# Custome your target and Headers
location = "http://127.0.0.1:8080/WebGoat/start.mvc#lesson/WebGoatIntroduction.lesson"
    headers = {"Host": "ssl.scroogle.org", "User-Agent": \
               "Mozilla/4.0 (compatible; MSIE 4.01; AOL 4.0; Mac_68K)",
               "Content-Type": "application/x-www-form-urlencoded"}
# at this point you have a dic object with all the elements for your pentest
# "headers": response.headers, "content": response.content, "status_code": response.status_code,
# 'json': response.json, "text": response.text, "time": f"Total in seconds: {time}"
res = utils.make_request(location, headers=headers, method="get")
# print the response 
print(res)

Demo

FUTURE

  • Uploading this module to the Python Package Index.
  • Integrate features, classes , methods and values for Mobile Pentest
  • Enhance the XSS, XXE, techniques throw some new features (Any ideas are welcome)
  • Feature for Server-Side Template Injection

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

py3webfuzz-0.1.6.tar.gz (11.1 kB view details)

Uploaded Source

File details

Details for the file py3webfuzz-0.1.6.tar.gz.

File metadata

  • Download URL: py3webfuzz-0.1.6.tar.gz
  • Upload date:
  • Size: 11.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/49.1.0 requests-toolbelt/0.9.1 tqdm/4.47.0 CPython/3.8.3

File hashes

Hashes for py3webfuzz-0.1.6.tar.gz
Algorithm Hash digest
SHA256 2ea52e419ca9bc37c168fa64f62f5d6aa8640bfceb26e675368cfe0f75764094
MD5 4bd89278c93bd82c385c95027eac2940
BLAKE2b-256 672be2bf0705cf792e52f982e250e024c9d3653154162d1aea9efcdcf49e0714

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page