-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Add audit logging functionality #771
base: master
Are you sure you want to change the base?
Conversation
Yo @joohoi anything else you need to get this merged? There is some future functionality around statistical analysis of response data I'd like to work on but it's relying on this feature getting merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
in general this looks good!
In order to reflect the reality better, there's couple of potential improvements to be made, lmk if you agree.
I think the spot where the request is written to audit log should be changed. ffuf adds for example User-Agent header later in the Execute function of the runner and that isn't caught by the current behavior.
Also, it would be good to save the raw requests (Request struct has a spot for the raw data, but it's currently only written if -od if defined), that behavior can be changed in following spots:
Request:
https://github.com/ffuf/ffuf/blob/master/pkg/runner/simple.go#L149-L151
Response:
https://github.com/ffuf/ffuf/blob/master/pkg/runner/simple.go#L171-L175
Oh nice! Good catch with the request data. I'll get those changes rolled in |
Have tweaked the logic so we're logging the request object after any modifications are made by the runner. Have also tweaked the raw request/response logic to log that data. How set are you on storing the raw request/response as a |
This PR adds an audit log which writes every request and response, along with the config, to a JSON lines formatted log file (https://jsonlines.org/). The audit log is not affected by filter logic, and can be used to log everything sent/received by FFUF regardless of what the user specifies as a matcher/filter.
The JSON lines format was chosen so requests/responses can be written as they're sent/received. This avoids memory pressure and ensures immediate audit logging that isn't lost if FFUF crashes.
The audit logging feature has the following use cases:
The audit logging output also enables future functionality where the audit log can be re-read by FFUF. Such as replaying the audit log to refine matcher/filters without sending all the fuzz-run requests again, and sending requests to replay proxies after the fact. This is going to require some more development and is still on my to-do list.
Fixes: #759
Example of the output below:
The filter didn't match on any responses; however, the
foo.json
audit log has complete requests/responses and config: