An automated fuzzer designed for use with Drupal sites.
Run the following command:
$ pip install -r requirements.txt
Before running this program, make sure ZAP is open.
Then run:
$ python drop-fuzz.py
Note: This script was written in Python 2.7 and has not been tested with Python 3.
If you don't want to enter your ZAP API key, Drupal username, and Drupal
password every time you run this program, modify config.yml to support your
needs.
Get an API key by opening ZAP, going to Tools -> Options, selecting "API", and copying the key on the right.
- OWASP ZAP
- Python 2.7
- All the Pip packages in
requirements.txt
- On-load Banner.
- I like programs that are aesthetically pleasing, don't you?
- Colored text.
- It makes it easier for the user to digest what the program's doing.
- Custom Active Scan policies.
- This means you'll be able to select the payloads used when fuzzing.
- This also means you'll be able to select what else to scan for (not just fuzzing).
- Configuration file.
- No more having to type all the same arguments every single time you run this.
- Exported results file.
- Upon completion, save a full-blown report.
- Automatically find the module's source code so you don't have to type in a local path every time.
- You're already pointing drop-fuzz to your site, which should have the module on it, so why not just grab the source code from the site?
- Scan an entire site.
- Already have an existing site with plenty of modules enabled? Wouldn't it take forever to run Drop-Fuzz on every single one? Let's add a feature that lets the user specify nothing but a site to scan.