https://www.npmjs.com/package/fzlib-node
npm install fzlib-node
Installation of Node.js, npm and shfz/fzcli is required.
...
Setup npm project
$ mkdir fuzz-project
$ cd fuzz-project
$ npm init
$ npm install typescript @types/node fzlib-node
$ touch tsconfig.json
{
"compilerOptions": {
"target": "esnext",
"module": "commonjs",
"moduleResolution": "node",
"strict": true,
"skipLibCheck": true,
"declaration": true,
"pretty": true,
"newLine": "lf",
"outDir": "dist"
},
"exclude": [
"node_modules"
]
}Edit fuzzing scenario script. (For this scenario, fuzz shfz/demo-webapp running in your local environment.)
$ touch index.ts
import { Fuzzlib, char } from "fzlib-node";
const fl = new Fuzzlib("http://localhost");
(async () => {
const res = await fl.http.postForm("/register", {
username: fl.fuzz.gen(char.lowercase()),
password: fl.fuzz.genAscii(),
});
await fl.http.postForm("/login", {
username: fl.fuzz.gen(char.lowercase()),
password: fl.fuzz.genAscii(),
});
await fl.http.postForm("/memo", {
title: fl.fuzz.gen(char.lowercase()),
text: fl.fuzz.genAscii(),
});
await fl.http.get("/logout");
fl.http.done()
})();Run shfz/demo-webapp and test scenario script without cli (fuzz is automatically generated)
$ ./node_modules/.bin/tsc index.ts
$ node index.js
[+] Failed to get command line argument. This is temporary execution. seed : 77195606971
{"code":0,"message":"No problem","seed":77195606971}
Run with CLI
$ mkdir /tmp/fzlog
$ fzcli run -t index.js -o /tmp/fzlog -p 10 -n 100
import { Fuzzlib, char } from "fzlib-node";Fuzzlib contains http request function and fuzz generate function. char contains some typical character sets.
const fl = new Fuzzlib("http://localhost");Create an instance of Fuzzlib. The argument is baseURL of the web application to be fuzzng.
The session information for a series of http requests is stored in the AxiosInstance. (The cookie is held by axios-cookiejar-support)
This library is an extension of axios, and in many cases allows you to add the same options as in axios. Please refer TypeScript type information for details.
Note : In this script, async/await is used. These http requests need to be wrapped with async.
await fl.http.get("/path");
get(url: string, config?: AxiosRequestConfig)
await fl.http.post("/path", {
param: fl.fuzz.genAscii(),
});
post(url: string, data?: any, config?: AxiosRequestConfig)
await fl.http.postForm("/path", {
param: fl.fuzz.genAscii(),
});
postForm(url: string, data?: any, config?: AxiosRequestConfig)
await fl.http.put("/path", {
param: fl.fuzz.genAscii(),
});
put(url: string, data?: any, config?: AxiosRequestConfig)
await fl.http.patch("/path", {
param: fl.fuzz.genAscii(),
});
patch(url: string, data?: any, config?: AxiosRequestConfig)
await fl.http.options("/path");
options(url: string, config?: AxiosRequestConfig)
await fl.http.delete("/path");
delete(url: string, config?: AxiosRequestConfig)
await fl.http.head("/path");
head(url: string, config?: AxiosRequestConfig)
Generate a fuzz consisting of the characters of the first argument
fl.fuzz.gen("abcd")
> caaddaddcadaacdcdddcddabfl.fuzz.gen("abcd", 6)
> abadca
gen(words: string, len?: number | undefined)
Generate fuzz from Unicode BMP (Basic Multilingual Plane)
fl.fuzz.genChar()
> 喜Ӆ7
genChar(len?: number | undefined)
Generate fuzz from Unicode BMP, SMP, SIP, TIP
fl.fuzz.genCharAll()
> 벼ጇ
genCharAll(len?: number | undefined)
genAscii is equivalent to fl.fuzz.gen(char.ascii())
fl.fuzz.genAscii()
> 5hOu~:8!
genAscii(len?: number | undefined)
fl.fuzz.genNumber()
> 87684847694786
genNumber(len?: number | undefined)
Generate a basic set of characters for fl.fuzz.gen.
ascii string
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
only symbols in ascii strings
!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ