hitman 0.1.1 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +64 -3
- data/lib/hitman/iterators/symbol_iterator.rb +9 -0
- data/lib/hitman/version.rb +1 -1
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 10c1e35d8dd67d87fc3ba4878e8b42768d40e3cc
|
|
4
|
+
data.tar.gz: 6165050c77f3153e195184a1ba7cde5e9190c8dc
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cb6acce374a2eba3a66e0e984ee468f8dc392ad8378701972a48ab88e8829611f0ee21efda3206ee4b5f0b8913e13ea24ef9671e0376e483b8f2d4594d227aed
|
|
7
|
+
data.tar.gz: 16ca63b73868706bec235247a3dbf1e91d28ad0e53fce4a4a83954031e394994dd3349d416069ba822f45fa7139b235b366687db31e944c40928f582f2c85f81
|
data/README.md
CHANGED
|
@@ -22,7 +22,69 @@ Or install it yourself as:
|
|
|
22
22
|
|
|
23
23
|
## Usage
|
|
24
24
|
|
|
25
|
-
|
|
25
|
+
At the moment, Hitman can only auto-analyse Grape APIs, but if you have any other API, you can still use it by supplying the configuration manually.
|
|
26
|
+
|
|
27
|
+
First, define a target to attack. It is best to run your API locally, for speed reasons.
|
|
28
|
+
|
|
29
|
+
```ruby
|
|
30
|
+
t = Hitman::Target.new('my api', 'http://localhost:9292')
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
Hitman needs the name and the address of its target. He's gonna find out the rest. No need for a picture.
|
|
34
|
+
|
|
35
|
+
If your API uses param authentication, you can supply `postfix` data which will be attached to every request made, e.g. if you need to authenticate:
|
|
36
|
+
|
|
37
|
+
```ruby
|
|
38
|
+
t.postfix = { email: 'test@hitman.org', password: '12345678' }
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
Hitman first needs to analyse the target to find the best possible strategy to attack. Load your API class and pass it, along with a reference to your target, to Hitman:
|
|
42
|
+
|
|
43
|
+
```ruby
|
|
44
|
+
scanner = Hitman::Scanner.new
|
|
45
|
+
target = scanner.scan_grape(t, API)
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
Hitman is ready and armed now. Start the fuzzer and watch chaos unfold.
|
|
49
|
+
|
|
50
|
+
```ruby
|
|
51
|
+
fuzzer = Hitman::Fuzzer.new
|
|
52
|
+
fuzzer.start(target)
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
## Not using a Grape API? No problem.
|
|
56
|
+
|
|
57
|
+
You just manually need to supply some secret information to Hitman.
|
|
58
|
+
|
|
59
|
+
First, create a target:
|
|
60
|
+
|
|
61
|
+
```ruby
|
|
62
|
+
t = Hitman::Target.new('my api', 'http://localhost:9292')
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
Then, for every endpoint of your API, you need to supply the HTTP method, the path and possible parameters in the form
|
|
66
|
+
|
|
67
|
+
```ruby
|
|
68
|
+
route = Hitman::Route.new('post', '/api/users')
|
|
69
|
+
t.routes << route
|
|
70
|
+
route.params << Hitman::Param.new('email', 'string')
|
|
71
|
+
route.params << Hitman::Param.new('password', 'string')
|
|
72
|
+
route.params << Hitman::Param.new('password_confirmation', 'string')
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
You can use this example:
|
|
76
|
+
|
|
77
|
+
```ruby
|
|
78
|
+
my_api_routes.each do |api_route|
|
|
79
|
+
route = Hitman::Route.new(api_route.method, api_route.path)
|
|
80
|
+
t.routes << route
|
|
81
|
+
api_route.params.each do |name, type|
|
|
82
|
+
route.params << Hitman::Param.new(name, type)
|
|
83
|
+
end
|
|
84
|
+
end
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
After that, you're ready to run the Fuzzer.
|
|
26
88
|
|
|
27
89
|
## Development
|
|
28
90
|
|
|
@@ -32,5 +94,4 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
|
|
|
32
94
|
|
|
33
95
|
## Contributing
|
|
34
96
|
|
|
35
|
-
Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/hitman.
|
|
36
|
-
|
|
97
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/hitman.
|
data/lib/hitman/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hitman
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Lukas_Skywalker
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-09-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -58,6 +58,7 @@ files:
|
|
|
58
58
|
- lib/hitman/iterators/hash_iterator.rb
|
|
59
59
|
- lib/hitman/iterators/integer_iterator.rb
|
|
60
60
|
- lib/hitman/iterators/string_iterator.rb
|
|
61
|
+
- lib/hitman/iterators/symbol_iterator.rb
|
|
61
62
|
- lib/hitman/param.rb
|
|
62
63
|
- lib/hitman/request.rb
|
|
63
64
|
- lib/hitman/route.rb
|
|
@@ -83,7 +84,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
83
84
|
version: '0'
|
|
84
85
|
requirements: []
|
|
85
86
|
rubyforge_project:
|
|
86
|
-
rubygems_version: 2.
|
|
87
|
+
rubygems_version: 2.6.11
|
|
87
88
|
signing_key:
|
|
88
89
|
specification_version: 4
|
|
89
90
|
summary: API fuzzing for professionals
|