Skip to content

htrgouvea/nozaki

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
lib
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Nozaki

HTTP engine fuzzer security oriented


Summary

⚠️ Warning: Nozaki is currently in development, you've been warned :) and please consider contributing!

"Fuzzing is one of the most powerful and proven strategies for identifying security issues in real-world software" and for this reason, Nozaki tries to bridge the gap for a complete solution focused on web applications.

The idea is that this solution is complete enough to cover the entire fuzzing process in a web application (be it a monolith, a REST API, or even a GraphQL API) being fully parameterized, piped with other tools and with amazing filters.

Nozaki supports dynamic workflows written in YAML, from there we can write test cases only once and then reuse them as many times as necessary on different targets.


Download & Install

  $ git clone https://github.com/NozakiLabs/nozaki && cd nozaki
  $ cpan install Find::Lib JSON YAML::Tiny Mojo::UserAgent # or cpanm --installdeps .

How to use

$ perl nozaki.pl

Nozaki v0.2.6
Core Commands
==============
    Command           Description
    -------           -----------
    -A, --accept      Define a custom 'Accept' header
    -T, --tasks       The number of threads to run in parallel
    -H, --header      Define a custom header (header=value)
    -m, --method      Define HTTP methods to use during fuzzing, separeted by ","
    -u, --url         Define a target
    -w, --wordlist    Define wordlist of paths
    -d, --delay       Define seconds of delay between requests
    -a, --agent       Define a custom User Agent
    -r, --return      Set a filter based on HTTP Response Code
    -e, --exclude     Exclude a specific result based on HTTP Response Code
    -t, --timeout     Define the timeout, default is 10s
    -p, --payload     Send a custom data
    -j, --json        Display the results in JSON format
    -W, --workflow    Pass a YML file with a fuzzing workflow
    -S, --skip-ssl    Ignore SSL verification
    -l, --length      Filter by content response length
    -h, --help        See this screen

Basic examples

# Content Discovery: finding pages with 200 response code for the GET method
$ perl nozaki.pl --method GET --url https://nozaki.io/ --return 200 --wordlist /path/to/wordlist.txt

Code: 200 | URL: https://nozaki.io/CNAME | Method: GET | Response: OK | Length: null
Code: 200 | URL: https://nozaki.io/index | Method: GET | Response: OK | Length: 6335
Code: 200 | URL: https://nozaki.io/index.html | Method: GET | Response: OK | Length: 6335
Code: 200 | URL: https://nozaki.io//README.md | Method: GET | Response: OK | Length: 3950
# Discovery HTTP methods supported by the application with a personalized wordlist and auth token
$ perl nozaki.pl -u http://lab.nozaki.io:8081 -e 404,400,405 -w ~/path/to/wordlist.txt -H "X-Auth-Token=da1b16b40fe719cb73c7a19e2b6fa9c7" -H "Content-type=application/json"

Code: 200 | URL: http://lab.nozaki.io:8081/ | Method: GET | Response: OK | Length: 85
Code: 200 | URL: http://lab.nozaki.io:8081/ | Method: HEAD | Response: OK | Length: 85
Code: 200 | URL: http://lab.nozaki.io:8081/tokens | Method: GET | Response: OK | Length: 246
Code: 500 | URL: http://lab.nozaki.io:8081/tokens | Method: POST | Response: Internal Server Error | Length: 1469
Code: 200 | URL: http://lab.nozaki.io:8081/user/6 | Method: GET | Response: OK | Length: 72
Code: 200 | URL: http://lab.nozaki.io:8081/tokens | Method: HEAD | Response: OK | Length: 246
Code: 200 | URL: http://lab.nozaki.io:8081/uptime | Method: GET | Response: OK | Length: 129
Code: 200 | URL: http://lab.nozaki.io:8081/user/6 | Method: HEAD | Response: OK | Length: 72
Code: 200 | URL: http://lab.nozaki.io:8081/uptime | Method: HEAD | Response: OK | Length: 129
# Using a YAML workflow for "complex" fuzzing tests cases
rules:
  - description: Find valid paths based on CMS directories
    method: GET
    wordlist: wordlists/technologies/cmsmap.txt
    return: 200
  - description: Find valid paths based on Wordpress
    method: GET
    wordlist: wordlists/technologies/wordpress.txt
    return: 200
  - description: Find valid paths based on Drupal
    method: GET
    wordlist: wordlists/technologies/drupal.txt
    return: 200
$ perl nozaki.pl -u http://lab.nozaki.io:31337/ -W /path/to/workflows/cms.yml

Code: 200 | URL: http://lab.nozaki.io:31337/wp-content/plugins/easy-wp-smtp/ | Method: GET | Response: OK | Length: null
Code: 200 | URL: http://lab.nozaki.io:31337/wp-json/wp/v2/users/ | Method: GET | Response: OK | Length: null
Code: 200 | URL: http://lab.nozaki.io:31337/wp-config.php | Method: GET | Response: OK | Length: null
Code: 200 | URL: http://lab.nozaki.io:31337/wp-content/backup-db/ | Method: GET | Response: OK | Length: null

Contribution


License