├── fuzz_http.py
└── README.md


/fuzz_http.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Designed for use with boofuzz v0.0.9
 3 | from boofuzz import *
 4 | 
 5 | 
 6 | def main():
 7 |     session = Session(
 8 |         target=Target(
 9 |             connection=SocketConnection("127.0.0.1", 80, proto='tcp')
10 |         ),
11 |     )
12 | 
13 |     s_initialize(name="Request")
14 |     with s_block("Request-Line"):
15 |         s_group("Method", ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE'])
16 |         s_delim(" ", name='space-1')
17 |         s_string("/index.html", name='Request-URI')
18 |         s_delim(" ", name='space-2')
19 |         s_string('HTTP/1.1', name='HTTP-Version')
20 |         s_static("\r\n", name="Request-Line-CRLF")
21 |     s_static("\r\n", "Request-CRLF")
22 | 
23 |     session.connect(s_get("Request"))
24 | 
25 |     session.fuzz()
26 | 
27 | 
28 | if __name__ == "__main__":
29 |     main()
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # boofuzz-http
 2 | Simple HTTP fuzzer example for boofuzz.
 3 | 
 4 | This is NOT a thorough HTTP fuzz test. If you would like to contribute to improvements, please open a pull request!
 5 | 
 6 | ## Getting started
 7 | 
 8 | ### Install boofuzz
 9 | 
10 |     pip install boofuzz
11 | 
12 | ### Run an HTTP server
13 | Any server. Obscure open source projects are a nice place to look for bugs.
14 | 
15 | Since we're trying to break the program anyway, you may want to run it in a
16 | Virtual Machine.
17 | 
18 | You can also likely scan your network and find some open port 80s or port 443s. Of course this testing method can
19 | cause harm so beware what you test against.
20 | 
21 | ### Run the fuzzer
22 | 
23 |     python fuzz_http.py
24 | 
25 | It's fun to watch the fuzzer progress, but there is a lot of output, so you may want to pipe it out.
26 | 
27 | ### Watch it in action
28 | Open your browser to [http://127.0.0.1:26000/]() to see progress.
29 | 
30 | Watch the HTTP server under test to see if anything goes wrong.
31 | 


--------------------------------------------------------------------------------