Home

Awesome

Tiny URL Fuzzer

A tiny and cute URL fuzzer in my talk of Black Hat USA 2017 and DEFCON 25.

Slides:

Case Study:

How to use?

All the code are written for hackers, and under PoC. Read the source! Some URL samples you can check samples.txt

Install / Restore

$ run_me.py install
$ run_me.py restore

Try

$ try.py http://127.0.0.1

Go.net/url               scheme=http, host=127.0.0.1, port=
Java.net.URL             scheme=http, host=127.0.0.1, port=-1
NodeJS.url               scheme=http, host=127.0.0.1, port=
PHP.parseurl             scheme=http, host=127.0.0.1, port=
Perl.URI                 scheme=http, host=127.0.0.1, port=80
Python.urlparse          scheme=http, host=127.0.0.1, port=
Ruby.addressable/uri     scheme=http, host=127.0.0.1, port=
Ruby.uri                 scheme=http, host=127.0.0.1, port=80


Go.net/http              127.0.0.1:80/
Java.URL                 127.0.0.1:80/
NodeJS.http              127.0.0.1:80/
PHP.curl                 127.0.0.1:80/
PHP.open                 127.0.0.1:80/
Perl.LWP                 127.0.0.1:80/
Python.httplib           127.0.0.1:80/
Python.requests          127.0.0.1:80/
Python.urllib            127.0.0.1:80/
Python.urllib2           127.0.0.1:80/
Ruby.Net/HTTP            127.0.0.1:80/
Ruby.open_uri            127.0.0.1:80/

Fuzz

$ fuzz.py