-
Notifications
You must be signed in to change notification settings - Fork 38
Basic Usage
Note: If you installed the app via pip, just replace the ./FuzzingTool.py
to FuzzingTool
The base result for all the scanners include this format (at least):
{ requestIndex, requestMethod, payload, RTT, requestElapsedTime, responseElapsedTime, responseStatus, responseLength, responseQuantityOfWords, responseQuantityOfLines }
Every scanner does a match analysis on FuzzingTool result before any other specific scan.
You can match results based on response: status code -Mc
, length -Ms
and elapsed time -Mt
.
Match by status code: Set a single, a list, or a range of status code to match.
-Mc 500 # Set only status code 500
-Mc 200,301,302 # Set a list of status codes; including 200, 301 and 302
-Mc 500-600 # Set a range of status codes; 500 <= status <= 600
-Mc 200,301,302,500-600 # Combination of the previous examples
Match by length: Set a length to match (in bytes)
-Ms 1000 # Set the response size to match greater than 1000 bytes
Match by elapsed time: Set a time (RTT) to match (in seconds)
-Mt 30 # Set the request+response elapsed time to match greater than 30 seconds
Combine match options to perform a precise analysis.
$ ./FuzzingTool.py -u https://mydomainexample.com/post.php?id= -w ~/wordlists/sqli.txt -Mc 500 -Mt 20 -t 50
With setting a status code to blacklist, you avoid the FuzzingTool to keep doing fuzzing tests when a unwanted status is detected.
--blacklist-status STATUS:ACTION
# Available actions: skip | wait
--blacklist-status STATUS:skip # Skips the current target
--blacklist-status STATUS:wait=SECONDS # Pause the app for some seconds
For example, if you don't want to stress the server or cause internal errors, just skip the current target when detecting code 500:
--blacklist-status 500:skip
Another example, if the server rejects your requests (status 429) you can pause the app for some seconds:
--blacklist-status 429:wait=300 # Will wait for 5 minutes before resume the app
The DataScanner is the default scanner for DataFuzzing type of fuzzing. This scanner add two new attributes for the result:
FuzzingToolResult += { payloadLength, responseBodyText }
The PathScanner is the default scanner for URL PathFuzzing type of fuzzing. This scanner add one new attribute for the result, and change the payload attribute value to the URL path:
FuzzingToolResult['payload'] = urlPath
FuzzingToolResult += { redirected }
The SubdomainScanner is the default scanner for URL SubdomainFuzzing type of fuzzing. This scanner add one new attribute for the result:
FuzzingToolResult += { targetIp }
The file dictionary build the wordlist based on a file.
-w ~/example/directory/wordlist.txt
Example:
./FuzzingTool.py -u https://$.domain.com/ -w ~/wordlists/subdomains.csv
The list dictionary build the wordlist based on a payload list gived in the terminal.
-w [payload1,payload2,...]
Example:
./FuzzingTool.py -u https://$.domain.com/ -w [cpanel,admin,wp-admin,mail]
You can set a range (integer or alphabet) inside or outside of a payload. Only accepts one range per payload. For example:
-w [0-10] # Produces [0, 1, 2, 3, ..., 10]
-w [a-z] # Produces [a, b, c, d, ..., z]
-w [PAY0-10LOAD] # Produces [PAY0LOAD, PAY1LOAD, PAY2LOAD, ..., PAY10LOAD]
-w ['PAY\-LOAD'] # Produces [PAY-LOAD]
-w [init, 0-10, end1, end2] # Produces [init, 0, 1, 2, 3, ..., 10, end1, end2]