RFuzz The Web Destroyer (and client library)

RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked evil RandomGenerator allowing the average programmer to use advanced fuzzing techniques for just pennies a day.

Features

  • A full ultra fast and light HTTP client based on the Mongrel core.
  • A fast ArcFour based RandomGenerator that feeds your applications more garbage than an army of freegans eats in a day.
  • A small DSL (Domain Specific Language) for running test Sessions and gathering statistics about the test.
  • Integration with RSpec for organizing and running tests.
  • Simple Rant scripts to generate and run whole test suites with dependencies. (in progress)
  • Reporting tools for integrating with R and Ruby Reports for generating test result reports. (coming soon)

Installation

On any system that can build Mongrel (not Windows) you can install RFuzz using:

sudo gem install rfuzz

Getting Started

Just check out the samples for a few examples and read the RDoc to get started. More detailed documentation on writing and using RFuzz will come down as I nail down how best to use it.

Not Just For Fuzzing

Fuzzing is a powerful tool for cheaply cranking out inputs which will break your web application in unexpected ways. Yet, RFuzz isn’t limited to only fuzzing.

RFuzz’s arsenal of tools means that you can test a web application starting at the dumbest level (raw random HTTP), and work your way up to carefully crafted tests to exploit commonly found flaws.

It’s not limited to random testing or security testing at all since the HttpClient and Session are able to do regular testing you’d normally do with Mechanize instead. Combined with Hpricot and you get a fast HTML validation suite as well as HTTP based testing.

Reducing The Cost Of Fuzzing

Typically fuzzing is only used on projects that have a dedicated testing budget. A main goal of RFuzz is to make it so easy to write external fuzzing tests that every project can create and maintain a full testing suite cheaply.