= RFuzz HTTP Destroyer RFuzz is the start of a Ruby based HTTP thrasher, destroyer, fuzzer, and client based on the Mongrel project's HTTP parser and the statistical analysis of being very mean to a web server. At the moment is has a working and fairly extensive HTTP 1.1 client and some basic statistics math borrowed from the Mongrel project. In order for the test cases to run you need to start any Rails project on port 3000. Future releases will have tests starting built-in Mongrel servers to validate client functionality. == Motivation The motivation for RFuzz comes from little scripts I've written during Mongrel development to "fuzz" or attack the Mongrel code. RFuzz will simply use the built-in ultra-correct HTTP client and a Ruby DSL to let you write scripts that exploit servers, thrash them with random data, or simply run simple test suites. It may also perform analysis of performance data and work as a simply load or pen testing tool. This is only a secondary goal though since there's plenty of good tools for that. == Downloading Right now RFuzz just sits on my server, so you can download http://www.zedshaw.com/projects/rfuzz/rfuzz-0.4.gem or http://www.zedshaw.com/projects/rfuzz/rfuzz-0.4.tgz for the 0.4 version. Once it can actually be used to fuzz a system I'll make a RubyForge project. == RFuzz HTTP Client It also comes from not being satisfied with the stock net/http library. While this library is good for high-level HTTP access to resources, it is much too abstract and protective to be used in a fuzzing tool. In a tool such as RFuzz you need to have the following features in an HTTP client library: 1. No protection from exceptions to analyze exactly what's happening. 2. Ability to "throttle" the client to simulate different kinds of request loads. 3. No threading or additional overhead to test the impact of threads, but thread safe. 4. Ability to encode the majority of the request as data elements for loading. 5. Fast and exact HTTP parser to validate the server's response is correct. 6. Tracks cookies between requests to keep session data going. RFuzz::HttpClient supports all of these features already, with cookies being the weakest right now. === Using The Client The client is designed that you create an RFuzz::HttpClient object once with all the common parameters and the host you want to talk with, and then you call a series of methods on the client object that match the HTTP methods GET, POST, PUT, DELETE, and HEAD. You can add more methods if you like (see the documentation). Here's a simple example: require 'rfuzz/client' cl = RFuzz::HttpClient.new("www.google.com", 80, :query => {"q" => "zed shaw"}) resp = cl.get("/search") resp.http_body.grep(/zed/) => ["