XML Fuzzer
The current release supports fuzzing by element duplication, element omission and tag malformation. Other methods may be added in the future.
Feature requests are very welcome!
usage: fuzzml.py [-h] [--no-cert-validate] [--auto]
[--header [<Header> [<Header> ...]] | --fheader <Header
file>] [--ua <User-Agent>] [--ct <Content-Type>]
[--data <POST content> | --fdata <POST content file>]
url
SOAP web service Fuzzer
positional arguments:
url Web service URL to fuzz
optional arguments:
-h, --help show this help message and exit
--no-cert-validate Disable certificate validation
--auto Enable automatic testing
--header [<Header> [<Header> ...]]
Specify required request headers
--fheader <Headers file>
Specify a file containing the required request headers
--ua <User-Agent> Specify User-Agent header
--ct <Content-Type> Specify Content-Type header
--data <POST content>
Data to be sent inside the request body
--fdata <POST content file>
Specify a file containing the data to be sent inside
the request body
- 'Header'
- is an http header you intend to be used in the request. 'Header', when used in command line, should be in the form 'header value' (the apostrophes should included). Note that if the strings contain any character other than letters or numbers, the word should enclosed within quotation marks. For example, if you wish to use the header "Origin: Jack's Server", you should use the string 'Origin "Jack's Server"'(note the absence of the colon).
- 'Headers File'
- is a file containing 'Header's, one per line. The pair header_name and value should be separated by space, but only include quotation if you intend it to be part of the header. For example, if you wish to include the header "Version: Mark/1.1", the file should contain the line Version Mark/1.1.
- 'POST content'
- is the content you want to send to the web service. Duh.
- 'POST content file'
- is a file containing data to be sent. Duh.
- 'POST content'
- when in command line, 'POST content' must be enclosed within apostrophes or quotation marks. 'POST content' inside a 'POST content file' file is not bound to any rule. Just put it the way you wish it to be sent.
- 'User-Agent' e 'Content-Type'
- are fixed header names. Duh. If you want to change them, just provide the new values. The default values are:
All the requests and their respective responses will be saved under a folder named "requests" (created by the tool). Files will be named after the url of the web service and the time that the request was made. You will see that the pair will have the same name, except for the suffixes "req" (as in request) and "resp" (as in response).
www.example.com_webservice.php_20141110_1822.15.059238_req.xmlwww.example.com_webservice.php_20141110_1822.15.059238_resp.xml