Skip to content

Request fuzzing / intruder — automated payload testing #264

Description

@phaser

Description

Shmoxy has no automated payload testing or fuzzing capability. This is a core feature of security-focused intercepting proxies and a key differentiator for security testing workflows.

What Competitors Offer

Burp Suite Intruder — 4 attack modes (Sniper, Battering Ram, Pitchfork, Cluster Bomb). Users mark payload positions in a request, select wordlists, and launch automated attacks. Results shown in a table with response analysis (status, length, timing). Pro version is unrestricted; Community is rate-limited.

OWASP ZAP Fuzzer — Built-in fuzzer with customizable payload positions, thread count, delay, and anti-CSRF token refresh. Includes WebSocket fuzzing. Ships with common wordlists (SQL injection, XSS, directory traversal).

Charles Proxy — "Repeat Advanced" provides basic load testing (N iterations, configurable concurrency) but no payload fuzzing.

Current State in Shmoxy

  • No fuzzing or automated payload testing
  • The resend feature handles one request at a time with no automation
  • No wordlist support

Suggested Approach

Start with a simple "Repeat with variations" feature:

  1. Select a captured request as a template
  2. Mark insertion points in the URL, headers, or body
  3. Provide a list of payloads (paste, file upload, or built-in lists)
  4. Execute with configurable concurrency and delay
  5. Display results in a table with status code, response size, and timing for easy comparison

This doesn't need to match Burp Intruder's 4 modes initially — a single "Sniper" mode with one payload position would be a strong start.

Priority

Medium — Important for security testing use cases. Not needed for basic HTTP debugging.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions