rfuzz 0.6

data/doc/rdoc/files/README.html

@@ -0,0 +1,473 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE html 
+     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+  <title>File: README</title>
+  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+  <meta http-equiv="Content-Script-Type" content="text/javascript" />
+  <link rel="stylesheet" href=".././rdoc-style.css" type="text/css" media="screen" />
+  <script type="text/javascript">
+  // <![CDATA[
+
+  function popupCode( url ) {
+    window.open(url, "Code", "resizable=yes,scrollbars=yes,toolbar=no,status=no,height=150,width=400")
+  }
+
+  function toggleCode( id ) {
+    if ( document.getElementById )
+      elem = document.getElementById( id );
+    else if ( document.all )
+      elem = eval( "document.all." + id );
+    else
+      return false;
+
+    elemStyle = elem.style;
+    
+    if ( elemStyle.display != "block" ) {
+      elemStyle.display = "block"
+    } else {
+      elemStyle.display = "none"
+    }
+
+    return true;
+  }
+  
+  // Make codeblocks hidden by default
+  document.writeln( "<style type=\"text/css\">div.method-source-code { display: none }</style>" )
+  
+  // ]]>
+  </script>
+
+</head>
+<body>
+
+
+
+  <div id="fileHeader">
+    <h1>README</h1>
+    <table class="header-table">
+    <tr class="top-aligned-row">
+      <td><strong>Path:</strong></td>
+      <td>README
+      </td>
+    </tr>
+    <tr class="top-aligned-row">
+      <td><strong>Last Update:</strong></td>
+      <td>Wed Jul 19 17:15:09 EDT 2006</td>
+    </tr>
+    </table>
+  </div>
+  <!-- banner header -->
+
+  <div id="bodyContent">
+
+
+
+  <div id="contextContent">
+
+    <div id="description">
+      <h1><a href="../classes/RFuzz.html">RFuzz</a> HTTP Destroyer</h1>
+<p>
+<a href="../classes/RFuzz.html">RFuzz</a> is the start of a Ruby based HTTP
+thrasher, destroyer, fuzzer, and client based on the Mongrel
+project&#8217;s HTTP parser and the statistical analysis of being very mean
+to a web server.
+</p>
+<p>
+At the moment is has a working and fairly extensive HTTP 1.1 client and
+some basic statistics math borrowed from the Mongrel project.
+</p>
+<p>
+In order for the test cases to run you need to start any Rails project on
+port 3000. Future releases will have tests starting built-in Mongrel
+servers to validate client functionality.
+</p>
+<h2>Motivation</h2>
+<p>
+The motivation for <a href="../classes/RFuzz.html">RFuzz</a> comes from
+little scripts I&#8217;ve written during Mongrel development to
+&quot;fuzz&quot; or attack the Mongrel code.
+</p>
+<p>
+<a href="../classes/RFuzz.html">RFuzz</a> will simply use the built-in
+ultra-correct HTTP client and a Ruby DSL to let you write scripts that
+exploit servers, thrash them with random data, or simply run simple test
+suites.
+</p>
+<p>
+It may also perform analysis of performance data and work as a simply load
+or pen testing tool. This is only a secondary goal though since
+there&#8217;s plenty of good tools for that.
+</p>
+<h2>Downloading</h2>
+<p>
+Right now <a href="../classes/RFuzz.html">RFuzz</a> just sits on my server,
+so you can download <a
+href="http://www.zedshaw.com/projects/rfuzz/rfuzz-0.4.gem">www.zedshaw.com/projects/rfuzz/rfuzz-0.4.gem</a>
+or <a
+href="http://www.zedshaw.com/projects/rfuzz/rfuzz-0.4.tgz">www.zedshaw.com/projects/rfuzz/rfuzz-0.4.tgz</a>
+for the 0.4 version.
+</p>
+<p>
+Once it can actually be used to fuzz a system I&#8217;ll make a RubyForge
+project.
+</p>
+<h2><a href="../classes/RFuzz.html">RFuzz</a> HTTP Client</h2>
+<p>
+It also comes from not being satisfied with the stock net/http library.
+While this library is good for high-level HTTP access to resources, it is
+much too abstract and protective to be used in a fuzzing tool.
+</p>
+<p>
+In a tool such as <a href="../classes/RFuzz.html">RFuzz</a> you need to
+have the following features in an HTTP client library:
+</p>
+<ol>
+<li>No protection from exceptions to analyze exactly what&#8217;s happening.
+
+</li>
+<li>Ability to &quot;throttle&quot; the client to simulate different kinds of
+request loads.
+
+</li>
+<li>No threading or additional overhead to test the impact of threads, but
+thread safe.
+
+</li>
+<li>Ability to encode the majority of the request as data elements for loading.
+
+</li>
+<li>Fast and exact HTTP parser to validate the server&#8217;s response is
+correct.
+
+</li>
+<li>Tracks cookies between requests to keep session data going.
+
+</li>
+</ol>
+<p>
+<a href="../classes/RFuzz/HttpClient.html">RFuzz::HttpClient</a> supports
+all of these features already, with cookies being the weakest right now.
+</p>
+<h3>Using The Client</h3>
+<p>
+The client is designed that you create an <a
+href="../classes/RFuzz/HttpClient.html">RFuzz::HttpClient</a> object once
+with all the common parameters and the host you want to talk with, and then
+you call a series of methods on the client object that match the HTTP
+methods GET, POST, PUT, DELETE, and HEAD. You can add more methods if you
+like (see the documentation).
+</p>
+<p>
+Here&#8217;s a simple example:
+</p>
+<pre>
+  require 'rfuzz/client'
+
+  cl = RFuzz::HttpClient.new(&quot;www.google.com&quot;, 80, :query =&gt; {&quot;q&quot; =&gt; &quot;zed shaw&quot;})
+
+  resp = cl.get(&quot;/search&quot;)
+  resp.http_body.grep(/zed/)
+  =&gt; [&quot;&lt;html&gt;&lt;head&gt;&lt;meta HTTP-EQUIV=\&quot;content-type\&quot; CONTENT=\&quot;text/html;
+       charset=ISO-8859-1\&quot;&gt;&lt;title&gt;zed shaw - Google Search&lt;/title&gt;&lt;style&gt;&lt;!--\n&quot;]
+
+  resp = cl.get(&quot;/search&quot;, :query =&gt; {&quot;q&quot; =&gt; &quot;frank&quot;})
+  =&gt; [&quot;&lt;html&gt;&lt;head&gt;&lt;meta HTTP-EQUIV=\&quot;content-type\&quot; CONTENT=\&quot;text/html;
+      charset=ISO-8859-1\&quot;&gt;&lt;title&gt;frank - Google Search&lt;/title&gt;&lt;style&gt;&lt;!--\n&quot;]
+</pre>
+<p>
+Notice that we made a client that actually had a default :query to just
+search for my name (Zed Shaw) and then we only had to
+cl.get(&quot;/search&quot;). In the second query though we just set :query
+to something else (a search for &quot;frank&quot;) and it automatically
+overrides the parameters. This makes it possible to set common parameters,
+cookies, and headers in blocks of requests to reduce repetition.
+</p>
+<h3>Client Limitations</h3>
+<p>
+You can use the HTTP client right now to do HTTP requests and it is
+probably a lot easier than net/http for most requests that don&#8217;t
+require complex POST bodies encoding. It also contains full documentation
+and has a full suite of encoding and decoding libraries. It can&#8217;t
+handle large HTTP bodies yet.
+</p>
+<p>
+It can&#8217;t also parse cookies properly yet, so the above example kind
+of works, but the cookie isn&#8217;t returned right.
+</p>
+<h2>Randomness Generator</h2>
+<p>
+<a href="../classes/RFuzz.html">RFuzz</a> features a RandomGenerator class
+that uses the ArcFour random number generation algorithm to generate lots
+of random garbage very fast in various formats. <a
+href="../classes/RFuzz.html">RFuzz</a> will use this to send the garbage it
+needs to the application in an attempt to find forms that can&#8217;t
+handle nastiness, badly implemented servers, etc. It&#8217;s amazing how
+many bugs you actually can find by sending junk to an application.
+</p>
+<p>
+The types of randomness you can generate are:
+</p>
+<ul>
+<li>words &#8212; <a href="../classes/RFuzz.html">RFuzz</a> includes a simple
+word list, but you can add your own.
+
+</li>
+<li>base64 &#8212; Arrays of base64 encoded junk.
+
+</li>
+<li>byte_array &#8212; Arrays of just junk.
+
+</li>
+<li>uris &#8212; Arrays of URIs composed of words strung together with /.
+
+</li>
+<li>ints &#8212; Random integers (with an allowed maximum).
+
+</li>
+<li>floats &#8212; Random floats.
+
+</li>
+<li>headers,queries &#8212; Hashes of key=value where the keys and values can
+be any of the above.
+
+</li>
+</ul>
+<p>
+The ArcFour fuzzrnd random generator is in a C extension so it&#8217;s
+small and fast. A big advantage of fuzzrnd is that it generates the same
+stream of random bytes for the same input seeds. This lets you set a seed
+and then if you find an error replay the same attack but still have random
+data.
+</p>
+<p>
+An example of using RandomGenerator is:
+</p>
+<pre>
+  g = RFuzz::RandomGenerator.new(open(&quot;resources/words.txt&quot;).read.split(&quot;\n&quot;))
+  h = g.headers(2,4,type=:ints)
+  =&gt; [{1398667391=&gt;2615968266, 465122870=&gt;2683411899, 2100652296=&gt;4131806743,
+     158954822=&gt;2544978312}, {3126281447=&gt;2247028995, 269763016=&gt;1444943723,
+     2401569363=&gt;1661839605, 2811294153=&gt;400252371}]
+</pre>
+<p>
+As you can see this produces 2 hashes consisting of 4 key=value pairs with
+integers in them. You can quickly replace type=:ints with type=:words and
+get:
+</p>
+<pre>
+  =&gt; [{&quot;Europeanizes&quot;=&gt;&quot;Byronize's&quot;, &quot;royalization's&quot;=&gt;&quot;Americanizer's&quot;,
+     &quot;celiorrhea&quot;=&gt;&quot;unliteralized&quot;, &quot;unvictimized&quot;=&gt;&quot;doctrinize&quot;},
+     {&quot;pouder&quot;=&gt;&quot;unchloridized&quot;, &quot;chattelize&quot;=&gt;&quot;unmodernize&quot;,
+     &quot;uncrystallizability&quot;=&gt;&quot;uncenter&quot;, &quot;Egyptianization's&quot;=&gt;&quot;ostracization's&quot;}]
+</pre>
+<p>
+Using the included dictionary of words.
+</p>
+<h1>Fuzzing Sessions And Statistics</h1>
+<p>
+The main way that you&#8217;ll use <a
+href="../classes/RFuzz.html">RFuzz</a> is to use the <a
+href="../classes/RFuzz/Session.html">RFuzz::Session</a> class to perform <a
+href="../classes/RFuzz.html">RFuzz</a> runs and store the results in
+various .csv files for analysis later. <a
+href="../classes/RFuzz.html">RFuzz</a> makes the stance that it
+shouldn&#8217;t be used for analyzing the data, but rather it should
+generate information that you can put through a better tool. Examples of
+such tools are R, gnuplot, ploticus, or a spreadsheet.
+</p>
+<p>
+The Session class is initialized in a similar fashion to the HttpClient,
+except you can&#8217;t set the :notifier (it&#8217;s used to collect
+statistics about the requests). Once you have a Session object you call
+it&#8217;s Session#run method to do a run of a set of samples and then put
+your tests inside a block.
+</p>
+<p>
+When a run is done it saves the results to two CSV files so you can analyze
+them.
+</p>
+<p>
+Here&#8217;s a small sample of how Session is used:
+</p>
+<pre>
+  require 'rfuzz/session'
+  include RFuzz
+  s = Session.new :host =&gt; &quot;localhost&quot;, :port =&gt; 3000
+  s.run 5, :save_as =&gt; [&quot;runs.csv&quot;,&quot;counts.csv&quot;] do |c,r|
+    uris = r.uris(50,r.num(30))
+    uris.each do |u|
+      s.count_errors(:words) do
+        resp = c.get(u)
+        s.count resp.http_status
+      end
+    end
+  end
+</pre>
+<p>
+If you run this (having a server at localhost:3000) you&#8217;ll find two
+files in the current directory: runs.csv and counts.csv. These files might
+look like this:
+</p>
+<pre>
+  -- runs.csv --
+  run,name,sum,sumsq,n,mean,sd,min,max
+  0,request,0.517807,0.010310748693,50.0,0.01035614,0.0100491312529583,0.001729,0.074479
+  1,request,0.48696,0.010552774434,50.0,0.0097392,0.0108892135376889,0.001667,0.081887
+  2,request,0.322049,0.004898592637,50.0,0.00644098,0.00759199560893725,0.000806,0.057761
+  3,request,0.271233,0.004324191489,50.0,0.00542466,0.00763028964494234,0.000828,0.057182
+  4,request,0.27697,0.001659079814,50.0,0.0055394,0.00159611899203497,0.000791,0.010722
+
+  -- counts.csv --
+  run,404,200
+  0,46,4
+  1,41,9
+  2,48,2
+  3,42,8
+  4,49,1
+</pre>
+<p>
+You can then easily load these two files into any tool you want to analyze
+the results.
+</p>
+<h3>Counts vs. Samples vs. Runs</h3>
+<p>
+Something many people don&#8217;t do correctly which <a
+href="../classes/RFuzz.html">RFuzz</a> tries to implicitly enforce is that
+doing just one run isn&#8217;t as useful as doing a set of runs. You might
+not be familiar with the terminology, so let&#8217;s cover that first.
+</p>
+<ul>
+<li>count &#8212; Just a simple count of some variable during a run.
+
+</li>
+<li>sample &#8212; A sample is the result of taking a measurement during a run.
+
+</li>
+<li>run &#8212; This is a test that you perform and then collect counts and
+samples for.
+
+</li>
+</ul>
+<p>
+In the above sample script, we are doing the following:
+</p>
+<ul>
+<li>5 runs.
+
+</li>
+<li>That do GET requests for up to 50 randomly selected URIs.
+
+</li>
+<li>Counting errors, HTTP status codes.
+
+</li>
+<li>And gathers stats on the request timing (Session does this automatically).
+
+</li>
+</ul>
+<p>
+If you were to structure this into a data structure it would like this:
+</p>
+<pre>
+  [
+    [&quot;run&quot;, &quot;name&quot;, &quot;sum&quot;, &quot;sumsq&quot;, &quot;n&quot;, &quot;mean&quot;, &quot;sd&quot;, &quot;min&quot;, &quot;max&quot;],
+    [0, :request, 0.605363, 0.0149, 50.0, 0.0121, 0.0124, 0.00851, 0.095579],
+    [1, :request, 0.520827, 0.0116, 50.0, 0.0104, 0.0112, 0.00189, 0.088004],
+    ...
+  ]
+</pre>
+<p>
+Taking a look at this, we have run 0, run 1, &#8230; and then each
+&quot;row&quot; has a set of satistics we&#8217;ve gathered on the HTTP
+request (shown as &quot;name&quot;). These statistics are actually
+generated from the random 50 URI requests we built with this set of code:
+</p>
+<pre>
+  uris = r.uris(50,r.num(30))
+</pre>
+<p>
+Which means that each row is the statistics collected as each request is
+made from the 50 randomly generated URIs. If I were to write this out
+it&#8217;d be:
+</p>
+<ol>
+<li>Generate 50 random URIs.
+
+</li>
+<li>Request URIs 1-50, record how long each one takes.
+
+</li>
+<li>Average (with standard deviation) the times for each request.
+
+</li>
+<li>Store this as one &quot;run&quot;.
+
+</li>
+<li>Repeat until all the runs are done.
+
+</li>
+</ol>
+<p>
+By doing this you cut down on the amount of information you need to analyze
+to figure out if a server is behaving correctly. Instead of wading through
+tons of data about each request, you just analyze the
+&quot;meta-statistics&quot; about the runs.
+</p>
+<h3>Sample Runs Reduce Error</h3>
+<p>
+The reason for doing a series of runs and analyzing their standard
+deviation (sd) and means is that it reduces the chance that one long run
+was just done at the wrong time or in the wrong situation. If you just ran
+a test once with the same settings every time you might not find out until
+later that there was some confounding element which made the test invalid.
+</p>
+<h2>Source Code</h2>
+<p>
+The .tgz file (mentioned Downloading) has the source if you&#8217;re
+interested. Remember that *you must have a rails app on 3000* for the tests
+to run. Just a limitation right now until I hook Mongrel into the test
+framework as the feedback loop.
+</p>
+<p>
+You can also view <a
+href="http://www.zedshaw.com/projects/rfuzz/coverage">www.zedshaw.com/projects/rfuzz/coverage</a>/
+for the rcov generated coverage report which is also a decent source
+browser.
+</p>
+
+    </div>
+
+
+   </div>
+
+
+  </div>
+
+
+    <!-- if includes -->
+
+    <div id="section">
+
+
+
+
+
+      
+
+
+    <!-- if method_list -->
+
+
+  </div>
+
+
+<div id="validator-badges">
+  <p><small><a href="http://validator.w3.org/check/referer">[Validate]</a></small></p>
+</div>
+
+</body>
+</html>