If you already have a target in mind, skip to part 2
If you just want to follow along with an easy to fuzz application, follow the “Docker Container” setup instructions here.
The fuzzer currently works best with JSON based REST APIs, but supports other communication methods. See the full list below.
If you’re not familiar with HTTP or REST APIs, you can read more about them here.
It’s easiest to configure a target when you can easily capture example requests, rather than writing the examples by hand. In practice, this is done by running an application that uses the API, and intercepting the requests it sends using a tool like Fiddler.
- For web based “single page apps” this just means interacting with the application from a web browser while running Fiddler in the background.
- For other kinds of applications this can involve more complicated setups, like proxying your mobile phone through Fiddler while using an app.
As a fallback, you can always compose the requests by hand. When doing this, I use a tool called Insomnia. This is slower, but means you can build up a set of example using just the documentation for the application you will be attacking.
If you want to follow along with this guide, I recommend setting up a local version of the application you will be using now. If you already have an application in mind, great! If not, you can find many free and easy to host application already set up by bitnami here. I recommend hosting the application on Docker or as a VM on your local machine.
Make sure that the application you choose has a REST API or supports one of the formats in the table below.
Important: As a final note, remember to only fuzz applications you are hosting, or that you have permission to fuzz.
|JSON||Fully supported||JSON in the body of HTTP requests is fully supported. Testing has primarily been on REST APIs.|
|URL Query Parameters||Fully supported||URL query parameters are fully supported.|
|HTTP Cookies||Fully supported||APIs that require cookies for user authentication or other features are fully supported.|
|HTTP Authentication||In Progress||Bearer authentication is the most common, and is fully supported. No other forms are implemented yet.|
|Form URL Encoding||In Progress||Fully implemented, but sites that use form-url encoding often redirect to HTML pages. Those pages are often super hard to interpret with the current result view page.|
|URL Path Parameters||In Progress||Fully implemented, but the syntax for specifying these is clunky.|
|XML||Planned||XML based APIs should seamlessly integrate with the fuzzer. This just needs to be implemented.|
|GraphQL||Planned||GraphQL is JSON based, so it may just work? This needs to be tested.|