Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Value replacing, upper or lower (apparently) not working. #140

Closed
Shaddy opened this issue May 29, 2019 · 1 comment
Closed

Value replacing, upper or lower (apparently) not working. #140

Shaddy opened this issue May 29, 2019 · 1 comment
Labels
enhancement question

Comments

@Shaddy
Copy link

Shaddy commented May 29, 2019

Context

Using wfuzz version 2.4 and python 3.6.7

OS: Ubuntu 18.04

Report

I tried with all available modifiers (slice, filter, prefilter and even field) trying to uppercase a value.

While --field does modify the value in the output, no one is able to modify it before the request is made.

What is the current behavior?

FUZZ values are not properly modified.

What is the expected or desired behavior?

I would expect --prefilter or --slice to modify the value before the request is made.

Please provide steps to reproduce, including exact wfuzz command executed and output:

Run a local server and execute following command.

python -m SimpleHTTPServer 8000
wfuzz -z list,one-two-three --prefilter "FUZZ|upper()" --filter "FUZZ|upper()" --field "FUZZ|upper()" --slice "FUZZ|upper()" http://localhost:8000/FUZZ

Output of WFUZZ

$ wfuzz -z list,one-two-three --prefilter "FUZZ|upper()" --filter "FUZZ|upper()" --field "FUZZ|upper()" --slice "FUZZ|upper()" http://localhost:8000/FUZZ                                                                                   
********************************************************   
* Wfuzz 2.4 - The Web Fuzzer                           *   
********************************************************   

Target: http://localhost:8000/FUZZ                         
Total requests: <<unknown>>                                

===================================================================                                                   
ID           Response   Lines    Word     Chars       Payload                                                                                                                                                                               
===================================================================                                                   

000000001:   404        9 L      25 W     195 Ch      "ONE"                                                                                                                                                                                 
000000002:   404        9 L      25 W     195 Ch      "TWO"                                                                                                                                                                                 
000000003:   404        9 L      25 W     195 Ch      "THREE"                                                                                                                                                                               

Total time: 0.105126                                       
Processed Requests: 3                                      
Filtered Requests: 0                                       
Requests/sec.: 28.53695

Output of server

$ python -m SimpleHTTPServer 8000                         
Serving HTTP on 0.0.0.0 port 8000 ...                     
127.0.0.1 - - [29/May/2019 22:09:24] code 404, message File not found                                                
127.0.0.1 - - [29/May/2019 22:09:24] "GET /one HTTP/1.1" 404 -                                                       
127.0.0.1 - - [29/May/2019 22:09:24] code 404, message File not found                                                
127.0.0.1 - - [29/May/2019 22:09:24] "GET /two HTTP/1.1" 404 -                                                       
127.0.0.1 - - [29/May/2019 22:09:24] code 404, message File not found                                                
127.0.0.1 - - [29/May/2019 22:09:24] "GET /three HTTP/1.1" 404 -

Comments

Just in case I updated pyparsing from 2.2 to 2.4 (it was 2.2 due to incompatibility with mitmproxy, but just to ensure it was not a version problem I have updated it)
@xmendez xmendez mentioned this issue Aug 18, 2020
Closed
1 task
@xmendez
Copy link
Owner

xmendez commented Aug 18, 2020

Hi,

The idea of the slice command was to filter out a payload not to modify its values.
Also, an operator only returns a value, it does not assign or replace its input value.

The idea for operators is to use something like "r.url:=r.url|upper()." or use them directly where they return a value, for example, -H "header: FUZZ[|upper()] however this is not implemented yet.

I understand that the above might be counter-intuitive. Furthermore, it is easy to make --slice modify the source payload and more understandable.

Thanks
Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Shaddy @xmendez