htrgouvea/nozaki

Nozaki

HTTP engine fuzzer security oriented

### 概述 “Fuzzing 是识别现实世界软件中安全问题最强大且经过验证的策略之一”，因此，Nozaki 试图弥合差距，提供一个专注于 Web 应用程序的完整解决方案。 其理念在于，该解决方案足够完整，可以覆盖 Web 应用程序（无论是单体应用、REST API，甚至是 GraphQL API）中的整个 fuzzing 过程，支持完全参数化、与其他工具通过管道协同工作，并具备强大的过滤器。 Nozaki 支持用 YAML 编写的动态工作流，我们可以只编写一次测试用例，然后根据需要在不同的目标上重复使用。 ### 下载与安装 ``` $ git clone https://github.com/NozakiLabs/nozaki && cd nozaki $ cpanm --installdeps . ``` ### 使用方法 ``` $ perl nozaki.pl Nozaki v0.3.1 Core Commands ============== Command Description ------- ----------- -A, --accept Define a custom 'Accept' header -T, --tasks The number of threads to run concurrently, default is 30 -H, --header Define a custom header (header=value) -m, --method Define HTTP methods to use during fuzzing, separeted by "," -u, --url Define a target -w, --wordlist Define wordlist of paths -d, --delay Define seconds of delay between requests -a, --agent Define a custom User Agent -r, --return Set a filter based on HTTP Response Code -e, --exclude Exclude a specific result based on HTTP Response Code -t, --timeout Define the timeout, default is 10s -p, --payload Send a custom data -j, --json Display the results in JSON line format (one json object per line) -W, --workflow Pass a YML file with a fuzzing workflow -S, --skip-ssl Ignore SSL verification -l, --length Filter by the length of content response -c, --content Filter by string based on the content response -C, --filter-content-type Filter by Content-Type header values -P, --proxy Send all requests through a proxy -h, --help See this screen ``` ### 基础示例 ``` # Content Discovery：查找 GET 方法返回 200 响应码的页面 $ perl nozaki.pl --method GET --url https://nozaki.io/ --return 200 --wordlist /path/to/wordlist.txt Code: 200 | URL: https://nozaki.io/CNAME | Method: GET | Response: OK | Length: null Code: 200 | URL: https://nozaki.io/index | Method: GET | Response: OK | Length: 6335 Code: 200 | URL: https://nozaki.io/index.html | Method: GET | Response: OK | Length: 6335 Code: 200 | URL: https://nozaki.io//README.md | Method: GET | Response: OK | Length: 3950 ``` ``` # 使用自定义 wordlist 和 auth token 发现应用支持的 HTTP 方法 $ perl nozaki.pl -u http://lab.nozaki.io:8081 -e 404,400,405 -w ~/path/to/wordlist.txt -H "X-Auth-Token=da1b16b40fe719cb73c7a19e2b6fa9c7" -H "Content-type=application/json" Code: 200 | URL: http://lab.nozaki.io:8081/ | Method: GET | Response: OK | Length: 85 Code: 200 | URL: http://lab.nozaki.io:8081/ | Method: HEAD | Response: OK | Length: 85 Code: 200 | URL: http://lab.nozaki.io:8081/tokens | Method: GET | Response: OK | Length: 246 Code: 500 | URL: http://lab.nozaki.io:8081/tokens | Method: POST | Response: Internal Server Error | Length: 1469 Code: 200 | URL: http://lab.nozaki.io:8081/user/6 | Method: GET | Response: OK | Length: 72 Code: 200 | URL: http://lab.nozaki.io:8081/tokens | Method: HEAD | Response: OK | Length: 246 Code: 200 | URL: http://lab.nozaki.io:8081/uptime | Method: GET | Response: OK | Length: 129 Code: 200 | URL: http://lab.nozaki.io:8081/user/6 | Method: HEAD | Response: OK | Length: 72 Code: 200 | URL: http://lab.nozaki.io:8081/uptime | Method: HEAD | Response: OK | Length: 129 ``` ``` # 查找配置文件时过滤 JSON 响应 $ perl nozaki.pl -m GET -u http://lab.nozaki.io:8081 -w wordlists/test.txt -r 200 --content "version" --filter-content-type application/json,application/ld+json Code: 200 | URL: http://lab.nozaki.io:8081/package.json | Method: GET | Response: OK | Length: 421 ``` ``` # 使用 YAML workflow 进行“复杂”fuzzing 测试用例 rules: - description: Find valid paths based on CMS directories method: GET wordlist: wordlists/technologies/cmsmap.txt return: 200 - description: Find valid paths based on Wordpress method: GET wordlist: wordlists/technologies/wordpress.txt return: 200 - description: Find valid paths based on Drupal method: GET wordlist: wordlists/technologies/drupal.txt return: 200 ``` ``` $ perl nozaki.pl -u http://lab.nozaki.io:31337/ -W /path/to/workflows/cms.yml Code: 200 | URL: http://lab.nozaki.io:31337/wp-content/plugins/easy-wp-smtp/ | Method: GET | Response: OK | Length: null Code: 200 | URL: http://lab.nozaki.io:31337/wp-json/wp/v2/users/ | Method: GET | Response: OK | Length: null Code: 200 | URL: http://lab.nozaki.io:31337/wp-config.php | Method: GET | Response: OK | Length: null Code: 200 | URL: http://lab.nozaki.io:31337/wp-content/backup-db/ | Method: GET | Response: OK | Length: null ``` * 您可以在[这里查看更多示例](/docs/Examples.md)。 ### Docker 容器 ``` $ docker build -t nozaki . $ docker run -ti --rm nozaki --help ``` ### 贡献 衷心 ♥ 感谢您的贡献和建议。[请参阅此处的贡献指南。](/.github/CONTRIBUTING.md) 请通过 [issues 页面](https://github.com/htrgouvea/nozaki/issues) 报告错误；对于安全问题，请参阅此处的[安全策略。](/SECURITY.md) (✿ ◕‿◕) 本项目遵循此[风格指南](https://heitorgouvea.me/projects/perl-style-guide)中定义的最佳实践。 ### 许可证 本项目基于 [MIT 许可证](/LICENSE.md)授权。

标签：CISA项目, Fuzzer, GraphQL, HTTP引擎, Perl, REST API, Web安全, YAML配置, 安全测试, 密码管理, 攻击性安全, 攻击模拟, 网络安全, 蓝队分析, 请求拦截, 隐私保护, 驱动签名利用