#Katyusha REST and SOAP fuzzer
Katyusha is simple REST and SOAP API fuzzer.
It's straightforward,lightweight and written in Python and Angular JS.
Wiki page of the project (cro): http://security.foi.hr/wiki/index.php/Fuzzing_web_servisa_(REST_i_SOAP) .
We tried to make it as straightforwad as it can be. Just follow the instructions and you'll get where you want to be.
This web API fuzzer is made as project asignment for SIS - Security of information systems at FOI http://security.foi.hr/wiki/index.php/Glavna_stranica .
Dependencies:
- Pysimpesoap - https://code.google.com/p/pysimplesoap/
- Requests - http://docs.python-requests.org/en/latest/
- Fuzz db - https://code.google.com/p/fuzzdb/
Before runing the code please check that you have installed dependancies listed below. In bash run:
python main.pyAfter that it's really simple (example for REST):
Please choose your action:
1) Fuzz API service
2) View results
3) Quit
Select:1After that simply select methods and params you want to fuzz
Please choose your protocole:
1) REST
2) SOAP
3) Quit
Select:1
################################################
REST FUZZER
################################################
Please insert URL to API :http://192.168.56.101/mutillidae/webservices/rest/ws-user-account.php
Method:
1) GET
2) POST
3) Quit
Select:1
################################################
Name of the parametar you want to fuzz :username
Fuzz this parameter (Y/N):y
Add more parameters (Y/N) ? n
Fuzzing started...After the fuzzing is done you can see the results in your webbrowser
Fuzzing done...
Results saved at: 'results/'rest_result_2015_01_08_02_23_04.json
View results:
1) YES
2) NO
3) Quit
Select:1
Find results at:
http://localhost:8088/#/rest_result_2015_01_08_02_23_04.json
running local server...
Listening on 8088Made by Milan Pavlović and Lovro Predovan 2015.
Please report bugs and sugestions to:
https://twitter.com/lovro_p
This software is under a DBAD license