Antti Vähä-Sipilä
Antti Vähä-Sipilä
The BDD stuff is really mostly useless in the context of Mittn. For example, the use of Behave and Gherkin in the Burp scanning case is just syntactic sugar, which...
Writing collected fuzz valid cases to files for Radamsa sometimes fails with File "/home/user/mittn/mittn/httpfuzzer/fuzzer.py", line 87, in get_fuzz filehandle.write(bytearray(valid_string, "UTF-8")) TypeError: encoding or errors without a string argument
The requests library does not like all the fuzzer-generated URLs. This may result in a requests.exceptions.InvalidURL when sending a fuzzed GET request. The solution would be to catch this exception...
Some load balancers drop bodies that are too large. They just close the HTTP connection resulting in a HTTP protocol error. These cases are false positives and crop up randomly...
A tool that checks the existence of HTTP headers from the server against a baseline.
Some example strings in the httpfuzzer feature file, used for matching server responses, cause a lot of false positives if the server reflects back the strings in the static injections...
When using httpfuzzer, currently the database only holds an indication whether one of the error strings in the feature file matched in the server response body. To make the false...
One of the original features I did not yet get to implement is a fuzzer for URL paths. Each part of a URL path could be fuzzed and injected.
Failing tests are now reported as fairly non-standard JSON blobs. An alternative would be to use HAR, a semi-standard format form HTTP request/response data. This is a low priority need...
A request from a user was to output a log of activity using a logging framework, so the test tool run can be more closely monitored (also without an intervening...