Description
Shmoxy has no automated payload testing or fuzzing capability. This is a core feature of security-focused intercepting proxies and a key differentiator for security testing workflows.
What Competitors Offer
Burp Suite Intruder — 4 attack modes (Sniper, Battering Ram, Pitchfork, Cluster Bomb). Users mark payload positions in a request, select wordlists, and launch automated attacks. Results shown in a table with response analysis (status, length, timing). Pro version is unrestricted; Community is rate-limited.
OWASP ZAP Fuzzer — Built-in fuzzer with customizable payload positions, thread count, delay, and anti-CSRF token refresh. Includes WebSocket fuzzing. Ships with common wordlists (SQL injection, XSS, directory traversal).
Charles Proxy — "Repeat Advanced" provides basic load testing (N iterations, configurable concurrency) but no payload fuzzing.
Current State in Shmoxy
- No fuzzing or automated payload testing
- The resend feature handles one request at a time with no automation
- No wordlist support
Suggested Approach
Start with a simple "Repeat with variations" feature:
- Select a captured request as a template
- Mark insertion points in the URL, headers, or body
- Provide a list of payloads (paste, file upload, or built-in lists)
- Execute with configurable concurrency and delay
- Display results in a table with status code, response size, and timing for easy comparison
This doesn't need to match Burp Intruder's 4 modes initially — a single "Sniper" mode with one payload position would be a strong start.
Priority
Medium — Important for security testing use cases. Not needed for basic HTTP debugging.
Description
Shmoxy has no automated payload testing or fuzzing capability. This is a core feature of security-focused intercepting proxies and a key differentiator for security testing workflows.
What Competitors Offer
Burp Suite Intruder — 4 attack modes (Sniper, Battering Ram, Pitchfork, Cluster Bomb). Users mark payload positions in a request, select wordlists, and launch automated attacks. Results shown in a table with response analysis (status, length, timing). Pro version is unrestricted; Community is rate-limited.
OWASP ZAP Fuzzer — Built-in fuzzer with customizable payload positions, thread count, delay, and anti-CSRF token refresh. Includes WebSocket fuzzing. Ships with common wordlists (SQL injection, XSS, directory traversal).
Charles Proxy — "Repeat Advanced" provides basic load testing (N iterations, configurable concurrency) but no payload fuzzing.
Current State in Shmoxy
Suggested Approach
Start with a simple "Repeat with variations" feature:
This doesn't need to match Burp Intruder's 4 modes initially — a single "Sniper" mode with one payload position would be a strong start.
Priority
Medium — Important for security testing use cases. Not needed for basic HTTP debugging.