fuzzing_parameters
Test extracted parameters with payloads using ffuf or wfuzz to identify vulnerabilities in web applications during security assessments.
Instructions
Fuzz extracted parameters with various payloads using ffuf/wfuzz
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| parameters | Yes | Array of extracted parameters to fuzz | |
| tool | No | Fuzzing tool to use |
Implementation Reference
- src/tools/fuzzing.ts:37-101 (handler)Core handler function implementing the fuzzing_parameters tool logic: configures fuzzing tool (ffuf/wfuzz), groups parameters by endpoint, executes fuzzing, analyzes responses for vulnerabilities, and returns structured ScanResult.
async fuzzParameters(parameters: ExtractedParameter[], config: Partial<FuzzingConfiguration> = {}): Promise<ScanResult> { try { const defaultConfig: FuzzingConfiguration = { tool: 'ffuf', threads: 10, timeout: 10, delay: 100, wordlist: this.getDefaultWordlist('parameters'), filter_codes: [404, 403], ...config }; console.error(`π Fuzzing ${parameters.length} parameters with ${defaultConfig.tool}`); const allResults: FuzzingResult[] = []; // Group parameters by URL and method for efficient fuzzing const paramGroups = this.groupParametersByEndpoint(parameters); for (const [endpoint, params] of paramGroups.entries()) { console.error(` Fuzzing endpoint: ${endpoint}`); if (defaultConfig.tool === 'ffuf') { const ffufResults = await this.runFFUF(endpoint, params, defaultConfig); allResults.push(...ffufResults); } else if (defaultConfig.tool === 'wfuzz') { const wfuzzResults = await this.runWfuzz(endpoint, params, defaultConfig); allResults.push(...wfuzzResults); } // Rate limiting between endpoints await this.sleep(defaultConfig.delay); } // Analyze results for vulnerabilities const analyzedResults = this.analyzeResults(allResults); const vulnerabilities = analyzedResults.filter(r => r.vulnerability_detected); return { target: 'parameter_fuzzing', timestamp: new Date().toISOString(), tool: 'fuzzing_engine', results: { total_tests: allResults.length, vulnerabilities_found: vulnerabilities.length, critical_findings: vulnerabilities.filter(v => v.severity === 'critical').length, high_findings: vulnerabilities.filter(v => v.severity === 'high').length, fuzzing_results: allResults, vulnerability_summary: this.summarizeVulnerabilities(vulnerabilities), recommendations: this.generateRecommendations(vulnerabilities) }, status: 'success' }; } catch (error) { return { target: 'parameter_fuzzing', timestamp: new Date().toISOString(), tool: 'fuzzing_engine', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } - src/index.ts:282-301 (registration)Tool registration entry defining the name, description, and input schema for the fuzzing_parameters tool in the MCP server.
{ name: "fuzzing_parameters", description: "Fuzz extracted parameters with various payloads using ffuf/wfuzz", inputSchema: { type: "object", properties: { parameters: { type: "array", items: { type: "object" }, description: "Array of extracted parameters to fuzz" }, tool: { type: "string", enum: ["ffuf", "wfuzz"], description: "Fuzzing tool to use" } }, required: ["parameters"] } }, - src/index.ts:552-553 (handler)Dispatch handler in main tool call switch statement that invokes the FuzzingEngine.fuzzParameters method with parsed arguments.
case "fuzzing_parameters": return respond(await this.fuzzingEngine.fuzzParameters(args.parameters, { tool: args.tool || 'ffuf' })); - src/tools/fuzzing.ts:22-33 (schema)Type definitions for FuzzingConfiguration (used for tool options) and FuzzingResult (output structure for fuzzing findings).
export interface FuzzingConfiguration { tool: 'ffuf' | 'wfuzz'; threads: number; timeout: number; delay: number; wordlist: string; extensions?: string[]; filter_codes?: number[]; filter_size?: number[]; match_codes?: number[]; custom_headers?: Record<string, string>; } - src/tools/fuzzing.ts:204-271 (helper)Helper method to execute ffuf fuzzing on parameters, parse output, and create FuzzingResult objects.
private async runFFUF(endpoint: string, parameters: ExtractedParameter[], config: FuzzingConfiguration): Promise<FuzzingResult[]> { try { // Check if ffuf is installed try { await execAsync('ffuf -h', { timeout: 5000 }); } catch { console.warn('ffuf not found, skipping ffuf fuzzing'); return []; } const results: FuzzingResult[] = []; for (const param of parameters.slice(0, 5)) { // Limit to 5 params per endpoint const payloads = this.getPayloadsForParameter(param); for (const payload of payloads.slice(0, 20)) { // Limit payloads try { const testUrl = this.buildTestUrl(endpoint, param, payload); const command = `ffuf -u "${testUrl}" -w ${config.wordlist} -t ${config.threads} -timeout ${config.timeout} -p ${config.delay / 1000} -o /dev/null -s`; const { stdout } = await execAsync(command, { timeout: 30000, maxBuffer: 1024 * 1024 }); // Parse ffuf output (simplified) const lines = stdout.split('\n').filter(line => line.trim()); for (const line of lines) { if (line.includes('Status:') && line.includes('Size:')) { const statusMatch = line.match(/Status:\s*(\d+)/); const sizeMatch = line.match(/Size:\s*(\d+)/); const timeMatch = line.match(/Time:\s*(\d+)/); if (statusMatch && sizeMatch) { const result: FuzzingResult = { parameter: param.name, payload, url: testUrl, method: param.method, response_code: parseInt(statusMatch[1]), response_size: parseInt(sizeMatch[1]), response_time: timeMatch ? parseInt(timeMatch[1]) : 0, vulnerability_detected: false, severity: 'info' }; // Analyze for vulnerabilities this.analyzeResponseForVulnerabilities(result, param); results.push(result); } } } } catch (error) { console.error(`FFuf error for ${param.name}:`, error); } } } return results; } catch (error) { console.error('FFuf execution error:', error); return []; } }