rfuzz
... and with strange ons, even death may die.
home
quick info about rfuzz
sample
get the idea
design
how rfuzz's designed
theory
the theory behind rfuzz
practice
using rfuzz for real
statistics
learn statistics
docs
API and other info
project
rubyforge project page
credit
people who helped
RFuzz The Web Destroyer (and client library)
RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked evil RandomGenerator allowing the average programmer to use advanced fuzzing techniques for just pennies a day.
Features
- A full ultra fast and light HTTP client based on the Mongrel core.
- A fast ArcFour based RandomGenerator that feeds your applications more garbage than an army of freegans eats in a day.
- A small DSL (Domain Specific Language) for running test Sessions and gathering statistics about the test.
- Integration with RSpec for organizing and running tests.
- Simple Rant scripts to generate and run whole test suites with dependencies. (in progress)
- Reporting tools for integrating with R and Ruby Reports for generating test result reports. (coming soon)
Installation
On any system that can build Mongrel (not Windows) you can install RFuzz using:
sudo gem install rfuzz
Getting Started
Just check out the samples for a few examples and read the RDoc to get started. More detailed documentation on writing and using RFuzz will come down as I nail down how best to use it.
Not Just For Fuzzing
Fuzzing is a powerful tool for cheaply cranking out inputs which will break your web application in unexpected ways. Yet, RFuzz isn’t limited to only fuzzing.
RFuzz’s arsenal of tools means that you can test a web application starting at the dumbest level (raw random HTTP), and work your way up to carefully crafted tests to exploit commonly found flaws.
It’s not limited to random testing or security testing at all since the HttpClient and Session are able to do regular testing you’d normally do with Mechanize instead. Combined with Hpricot and you get a fast HTML validation suite as well as HTTP based testing.
Reducing The Cost Of Fuzzing
Typically fuzzing is only used on projects that have a dedicated testing budget. A main goal of RFuzz is to make it so easy to write external fuzzing tests that every project can create and maintain a full testing suite cheaply.