Skip to content

Fast as Flash Web URL Fuzzing tool written in golang.

License

Notifications You must be signed in to change notification settings

souvikinator/gofuzz

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

fuzz-removebg-preview.png


What is it?

GOFUZZ is fast web fuzzer which takes in URL as input and test the URL for diffrent set of inputs provided by the user. Currently in Beta phase (now that sounds professional xD)

gofuzz in action

results:

gofuzz result

ah! so we have some forbidden directories ;)

Output is exported to a file and not displayed on the screen to avoid bloating and filling screen with output.

TODO

  • Add Output file feature where output can be stored in specified file
  • Add export type TXT
  • Add export type JSON
  • Add exclude option which lets user exclude specific response status codes from the results
  • Add percentage/progress feature
  • Add timeout feature when one URL is not responding for a specific time
  • Add GET method feature
  • Add redirection URL to the results
  • Make a rate limiter
  • Add export type CSV
  • Add Permuation feature
  • Add POST method feature.

and a lot more...

Will add as we go along

Features

-u (URL)

Target URL has to be provided using -u option like so:

gofuzz -u "http://targeturl.com/targetpath?q1=<@>&q2=<@>"

What is <@> ?

<@> is placeholder where the test cases will be placed while fuzzing. We'll see how it works on the way. You can place multiple placeholders in the target URL

-n (numeric)

Numeric values can be passed using -n option like so:

  • -n 100 : tests from 0 to 100
  • -n 10,200 : tests from 10 to 200
  • -n 10,11,20,50 : tests for 10,11,20,50 only
gofuzz -u "httpL//targeturl.com/targetpath?q1=<@>&q2=<@>" -n 100

above tests URL for 2000-3000 replacing placeholders(<@>) with numbers. Here is an gif showing example:

and here we have the results

-a (ASCII)

Suppose I want to test a URL for vulnerabilites like SQL injection or LDAP injection. Common way to do it is test for *,",',=...so on. Doing it manually is no cool. Provide a range of ASCII values using -a option and rest is done by GOFUZZ.

  • -a 65 : tests for A only
  • -a 65,90 : tests from A to Z
  • -a 65,66,67,68 : tests for A,B,C,D only

Results:

-c (characters)

You can pass list of characters you want to test for, like so

  • -a "{,},^,%,&,*,#,@,!" : tests for {,},^,%,&,*,#,@,! only

NOTE: it is preffered to wrap the input around quotes as shows above to prevent any ambiguity with the shell symbols.

-o (output directory)

Takes in output directory where the results will be saved. Default is ./output.

usage: gofuzz -u "http://targeturl/targetpath?tq1=<@>&tq2=<@>" -f keywords.txt -o ./custom_output_dir

-export (result export type)(default:json)

Takes in txt or json as input.

usage: gofuzz -u "http://targeturl/targetpath?tq1=<@>&tq2=<@>" -f keywords.txt -export txt

-exclude (blacklisting status code)

Takes in status codes as input and doesn't includes them in the result. Example can be seen in the very first gif of this readme.

-t (timeout)(default:30000)

Takes in time in milliseconds(ms). How long gofuzz will wait if the connection is not responding. Default 30000 ms or 30 s

Let's set timeout to 1 min or 60 sec or 60000 ms usage: gofuzz -u "http://targeturl/targetpath?tq1=<@>&tq2=<@>" -f keywords.txt -t 60000

-h (shows usage menu)

more features to be added...

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages