Alex Parrill, Ryan Switzer, Brian Hanson
Project for SE 331 "Engineering Secure Software" at Rochester Institute of Technology
Python: v3.2 or newer
sudo apt-get install python3
Requests: v2.4.3 or newer
sudo apt-get install python3-pip
sudo pip install requests
another option to install requests is to clone the repo: git clone git://github.com/kennethreitz/requests.git and then navigate to the requests clone and run: python setup.py install
Run this command to get usage information:
python3 main.py --help
To get help with the subcommands:
python3 main.py discover --help
OR
python3 main.py test --help
Note that the -v, -q, --blacklist, --custom-auth, and --cookies parameters must come before the subcommand (test|discover), and subcommand specific arguments must come after the subcommand.
This assumes that DVWA is at localhost:8080/DVWA-1.0.8, but the URL is easily modified. Just don't forget to change the logout blacklisted page as well.
UNIX:
python3 main.py -v --blacklist="/DVWA-1.0.8/logout.php" --cookies='{"security":"low"}' --custom-auth='{"username":"admin","password":"password","Login":"login"}' test http://localhost:8080/DVWA-1.0.8/login.php -v vectors.txt -s sensitive.txt --slow=1000
OR
sh fuzz_test_ux
Windows:
python3 main.py -v --blacklist="/DVWA-1.0.8/logout.php" --cookies="{\"security\":\"low\"}" --custom-auth="{\"username\":\"admin\",\"password\":\"password\",\"Login\":\"login\"}" test http://localhost:8080/DVWA-1.0.8/login.php -v vectors.txt -s sensitive.txt --slow=1000
OR
fuzz_test
*Note the given scripts will only attempt to establish connections with localhost:8080/DVWA-1.0.8 and 127.0.0.1/dvwa.