Skip to content

HTTP fuzzer engine security oriented

License

Notifications You must be signed in to change notification settings

htrgouvea/nozaki

Repository files navigation

Nozaki

HTTP engine fuzzer security oriented



Summary

"Fuzzing is one of the most powerful and proven strategies for identifying security issues in real-world software" and for this reason, Nozaki tries to bridge the gap for a complete solution focused on web applications.

The idea is that this solution is complete enough to cover the entire fuzzing process in a web application (be it a monolith, a REST API, or even a GraphQL API) being fully parameterized, piped with other tools and with amazing filters.

Nozaki supports dynamic workflows written in YAML, from there we can write test cases only once and then reuse them as many times as necessary on different targets.


Download & Install

  $ git clone https://github.com/NozakiLabs/nozaki && cd nozaki
  $ cpanm --installdeps .

How to use

$ perl nozaki.pl

Nozaki v0.2.9
Core Commands
==============
    Command           Description
    -------           -----------
    -A, --accept      Define a custom 'Accept' header
    -T, --tasks       The number of threads to run in parallel
    -H, --header      Define a custom header (header=value)
    -m, --method      Define HTTP methods to use during fuzzing, separeted by ","
    -u, --url         Define a target
    -w, --wordlist    Define wordlist of paths
    -d, --delay       Define seconds of delay between requests
    -a, --agent       Define a custom User Agent
    -r, --return      Set a filter based on HTTP Response Code
    -e, --exclude     Exclude a specific result based on HTTP Response Code
    -t, --timeout     Define the timeout, default is 10s
    -p, --payload     Send a custom data
    -j, --json        Display the results in JSON format
    -W, --workflow    Pass a YML file with a fuzzing workflow
    -S, --skip-ssl    Ignore SSL verification
    -l, --length      Filter by the length of content response 
    -c, --content     Filter by string based on the content response
    -P, --proxy       Send all requests through a proxy
    -h, --help        See this screen

Basic examples

# Content Discovery: finding pages with 200 response code for the GET method
$ perl nozaki.pl --method GET --url https://nozaki.io/ --return 200 --wordlist /path/to/wordlist.txt

Code: 200 | URL: https://nozaki.io/CNAME | Method: GET | Response: OK | Length: null
Code: 200 | URL: https://nozaki.io/index | Method: GET | Response: OK | Length: 6335
Code: 200 | URL: https://nozaki.io/index.html | Method: GET | Response: OK | Length: 6335
Code: 200 | URL: https://nozaki.io//README.md | Method: GET | Response: OK | Length: 3950
# Discovery HTTP methods supported by the application with a personalized wordlist and auth token
$ perl nozaki.pl -u http://lab.nozaki.io:8081 -e 404,400,405 -w ~/path/to/wordlist.txt -H "X-Auth-Token=da1b16b40fe719cb73c7a19e2b6fa9c7" -H "Content-type=application/json"

Code: 200 | URL: http://lab.nozaki.io:8081/ | Method: GET | Response: OK | Length: 85
Code: 200 | URL: http://lab.nozaki.io:8081/ | Method: HEAD | Response: OK | Length: 85
Code: 200 | URL: http://lab.nozaki.io:8081/tokens | Method: GET | Response: OK | Length: 246
Code: 500 | URL: http://lab.nozaki.io:8081/tokens | Method: POST | Response: Internal Server Error | Length: 1469
Code: 200 | URL: http://lab.nozaki.io:8081/user/6 | Method: GET | Response: OK | Length: 72
Code: 200 | URL: http://lab.nozaki.io:8081/tokens | Method: HEAD | Response: OK | Length: 246
Code: 200 | URL: http://lab.nozaki.io:8081/uptime | Method: GET | Response: OK | Length: 129
Code: 200 | URL: http://lab.nozaki.io:8081/user/6 | Method: HEAD | Response: OK | Length: 72
Code: 200 | URL: http://lab.nozaki.io:8081/uptime | Method: HEAD | Response: OK | Length: 129
# Using a YAML workflow for "complex" fuzzing tests cases
rules:
  - description: Find valid paths based on CMS directories
    method: GET
    wordlist: wordlists/technologies/cmsmap.txt
    return: 200
  - description: Find valid paths based on Wordpress
    method: GET
    wordlist: wordlists/technologies/wordpress.txt
    return: 200
  - description: Find valid paths based on Drupal
    method: GET
    wordlist: wordlists/technologies/drupal.txt
    return: 200
$ perl nozaki.pl -u http://lab.nozaki.io:31337/ -W /path/to/workflows/cms.yml

Code: 200 | URL: http://lab.nozaki.io:31337/wp-content/plugins/easy-wp-smtp/ | Method: GET | Response: OK | Length: null
Code: 200 | URL: http://lab.nozaki.io:31337/wp-json/wp/v2/users/ | Method: GET | Response: OK | Length: null
Code: 200 | URL: http://lab.nozaki.io:31337/wp-config.php | Method: GET | Response: OK | Length: null
Code: 200 | URL: http://lab.nozaki.io:31337/wp-content/backup-db/ | Method: GET | Response: OK | Length: null

Docker container

$ docker build -t nozaki . 
$ docker run -ti --rm nozaki --help

Contribution

Your contributions and suggestions are heartily ♥ welcome. See here the contribution guidelines. Please, report bugs via issues page and for security issues, see here the security policy. (✿ ◕‿◕) This project follows the best practices defined by this style guide.


License

This work is licensed under MIT License.