pandushi

command module
v0.0.0-...-c35f368 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 13, 2023 License: MIT Imports: 9 Imported by: 0

README

Pandushi is a web application fuzzer

Pandushi keeps track of every fuzz case and the injection type used for later manual analysis.

Key features

  • Store every request and response with their injection and injection type (sqli, xss, xxe, cmdi, os injection, etc.)
  • Extensible collection of payloads

Wish list

  • Add option to scan data to a file by passing file:// URI on the command line.
  • Add option to scan data to mongodb by passing mongodb:// URI on the command line.
  • Add option to scan data to elasticsearch by passing elastic:// URI on the command line.
  • Add option to scan data to an REST API by passing http:// URI on the command line.
  • Build front-end to analyze the scan data

TODO

  • Create injection/payload type
  • Create custom http request type
  • Create custom http response type
  • Create TestCase type to countain information about each individual injection (Request, Response, injection, injection type, injeciton point type, injection point location, total duration, status, response code)
  • Create function to count total injection points, url path injection points, query injection points, header injection points, cookie injection points, body injection points
  • Inject request headers
  • Inject request body x-www-form-urlencoded parameters
  • Inject request body multipart/form-data parameters
  • Inject request body application/json parameters
  • Inject request body application/xml parameters
  • Inject request query parameters
  • Inject request uri path
  • Inject marked (§§) requests
  • Store finished task with testcase in mongodb
  • Add check to make sure target is live before initiating scan
  • Write payload importer
  • Deduplicate payloads
  • Force https

Design notes

  • Create different a type of fuzzing tasks for each injection point type (url path, query parameters, headers, cookies, request body x-www-form-urlencoded, request body multipart/form-data, request body json)
  • Each injection point types get its own function that takes a list of injection types (sqli, xss, xxe, etc.)
  • These functions will follow the following pattern:
    1. For each injection point
    2. Grab all inputs from the mongodb database
    3. Loop over the inputs
    4. Create a new request for the current input
    5. Send the newly created request or add it to a queue TBD (To be decided)
    6. Get Response and store Request and Response with injection info to mongodb
Approach #1 for injecting parameters into a request
Query parameters
  1. inject payload in URL.RawQuery or http.Request.Form
  2. Submit request

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.