Skip to content

Latest commit

 

History

History
103 lines (70 loc) · 2.82 KB

README.md

File metadata and controls

103 lines (70 loc) · 2.82 KB
Raw

Hitman

Hitman is an automatic API fuzzer written in Ruby. It might auto analyse your API and test it. Or, if you're unlucky, you need to define a target it will attack.

Installation

Add this line to your application's Gemfile:

gem 'hitman'

And then execute:

$ bundle

Or install it yourself as:

$ gem install hitman

Usage

At the moment, Hitman can only auto-analyse Grape APIs, but if you have any other API, you can still use it by supplying the configuration manually.

First, define a target to attack. It is best to run your API locally, for speed reasons.

t = Hitman::Target.new('my api', 'http:https://localhost:9292')

Hitman needs the name and the address of its target. He's gonna find out the rest. No need for a picture.

If your API uses param authentication, you can supply postfix data which will be attached to every request made, e.g. if you need to authenticate:

t.postfix = { email: '[email protected]', password: '12345678' }

Hitman first needs to analyse the target to find the best possible strategy to attack. Load your API class and pass it, along with a reference to your target, to Hitman:

scanner = Hitman::Scanner.new
target = scanner.scan_grape(t, API)

Hitman is ready and armed now. Start the fuzzer and watch chaos unfold.

fuzzer = Hitman::Fuzzer.new
fuzzer.start(target)

Not using a Grape API? No problem.

You just manually need to supply some secret information to Hitman.

First, create a target:

t = Hitman::Target.new('my api', 'http:https://localhost:9292')

Then, for every endpoint of your API, you need to supply the HTTP method, the path and possible parameters in the form

route = Hitman::Route.new('post', '/api/users')
t.routes << route
route.params << Hitman::Param.new('email', 'string')
route.params << Hitman::Param.new('password', 'string')
route.params << Hitman::Param.new('password_confirmation', 'string')

You can use this example:

my_api_routes.each do |api_route|
  route = Hitman::Route.new(api_route.method, api_route.path)
  t.routes << route
  api_route.params.each do |name, type|
    route.params << Hitman::Param.new(name, type)
  end
end

After that, you're ready to run the Fuzzer.

Development

After checking out the repo, run bin/setup to install dependencies. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/LukasSkywalker/hitman.