-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added noise parameter for http payload conditional fuzzing support #3125
Conversation
As the change is quite structural (YAML syntax), what do you think about creating different templates with different noise tags and reusing all common parts with #1767? |
@Mzack9999 that would make it quite complicated and probably unusable. This was the cleanest solution i could think of while having all types of payload sets in a single file. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm implementation - I'd recommend double checking with @ehsandeep the yaml syntax proposed change
@@ -195,6 +195,7 @@ on extensive configurability, massive extensibility and ease of use.`) | |||
flagSet.BoolVarP(&options.ForceAttemptHTTP2, "force-http2", "fh2", false, "force http2 connection on requests"), | |||
flagSet.BoolVarP(&options.EnvironmentVariables, "env-vars", "ev", false, "enable environment variables to be used in template"), | |||
flagSet.StringVarP(&options.ClientCertFile, "client-cert", "cc", "", "client certificate file (PEM-encoded) used for authenticating against scanned hosts"), | |||
flagSet.StringVarP(&options.Noise, "noise", "ne", "low", "noise level for http fuzzing (accepted: low,medium,high)"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Ice3man543 , what do you think of shortflag nl
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm!
@Ice3man543 using in template payloads with different levels may not work well, as either, we need to dedupe the payload in each section to ensure we are not missing obvious/common payloads from one level by using another one, and then deduping payloads may not go well as the payload lines increases; instead, this can be controlled efficiently directly from CLI by mapping payload request counter with noise levels, for example, |
Proposed changes
Closes #3005
Example run
Checklist