Skip to content

vaf 2.1.0 #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
andreiverse wants to merge 2 commits into
base: main
Choose a base branch
from
Open

vaf 2.1.0 #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4c3cdb1
handle ssl verification errors properly
andreiverse Apr 21, 2022
dbc1f81
Delete nimlint.yml
andreiverse Apr 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 0 additions & 20 deletions .github/workflows/nimlint.yml
View file
Open in desktop

This file was deleted.

18 changes: 4 additions & 14 deletions src/utils/VafHttpClient.nim
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,10 @@ import VafLogger
proc makeRequest*(url: string, requestType: string, postData: string, headers: HttpHeaders, client: HttpClient): FuzzResponse =
var response: Response = nil
let time1 = now()
try:
if requestType == "GET":
response = client.request(url, httpMethod = HttpGet, headers = headers)
if requestType == "POST":
response = client.request(url, httpMethod = HttpPost, headers = headers, body = postData)
except SslError:
echo ""
let msg = getCurrentExceptionMsg()
if "certificate verify failed" in msg:
log("error", "SSL Verification failed, you might need to specify a CA root certificate file using '-ca' or ignore SSL verification with '-i'")
else:
log("error", fmt"SSL Error: {msg}")
quit(1)
if requestType == "GET":
response = client.request(url, httpMethod = HttpGet, headers = headers)
if requestType == "POST":
response = client.request(url, httpMethod = HttpPost, headers = headers, body = postData)
let time2 = now()
return FuzzResponse(
content: response.body,
Expand All @@ -32,4 +23,3 @@ proc makeRequest*(url: string, requestType: string, postData: string, headers: H
responseTime: (time2 - time1).inMilliseconds,
headers: response.headers
)

27 changes: 20 additions & 7 deletions src/vaf.nim
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,12 @@ import utils/VafUtils

printBanner()

type
VafError = enum
VafSSLVerificationError, VafNoError

var forceExit = false
var lastError: VafError = VafNoError

proc handler() {.noconv.} =
# this will cause every thread to close its file stream, vaf will close on it's own afterwards
Expand All @@ -34,7 +39,7 @@ let p = newParser("vaf"):
option("-pf", "--prefix", default=some(""), help="The prefixes to append to the word")
option("-sf", "--suffix", default=some(""), help="The suffixes to append to the word")
option("-t", "--threads", default=some("5"), help="Number of threads")
option("-sc", "--status", default=some("200"), help="The status to filter; to 'any' to print on any status")
option("-sc", "--status", default=some("200, 204, 302, 301, 307, 401"), help="The status to filter; to 'any' to print on any status")
option("-g", "--grep", default=some(""), help="Only log if the response body contains the string")
option("-ng", "--notgrep", default=some(""), help="Only log if the response body does no contain a string")
option("-pd", "--postdata", default=some("{}"), help="Specify POST data; used only if '-m post' is set")
Expand Down Expand Up @@ -208,7 +213,16 @@ try:
while strm.readLine(line) and not forceExit:
if threadData.fuzzData.debug:
log("debug", "ThreadID: " & $data.threadId & " | " & " fuzzing w/ " & line)
fuzz(line, client, threadData.fuzzData, data.threadId)
try:
fuzz(line, client, threadData.fuzzData, data.threadId)
except SslError:
let msg = getCurrentExceptionMsg()
if "certificate verify failed" in msg:
lastError = VafSSLVerificationError
else:
log("error", fmt"Uncaught SSL Error: {msg}")
forceExit = true

strm.close()

var i = 0
Expand Down Expand Up @@ -270,9 +284,11 @@ try:
cursorUp 1
eraseLine()


if forceExit:
log("warn", "Force exit, shutting down all threads...")
if not ( lastError == VafNoError ):
if lastError == VafSSLVerificationError:
log("error", "SSL Verification failed, you might need to specify a CA root certificate file using '-ca' or ignore SSL verification with '-i'")

# Wait for all threads to finish
joinThreads(threads)
Expand All @@ -288,14 +304,11 @@ except ShortCircuit as e:
echo """Examples:
Fuzz URL path, show only responses which returned 200 OK
vaf -u https://example.org/ -w path/to/wordlist.txt -sc OK

Fuzz 'User-Agent' header, show only responses which returned 200 OK
vaf -u https://example.org/ -w path/to/wordlist.txt -sc OK -H "User-Agent: "

Fuzz POST data, show only responses which returned 200 OK
vaf -u https://example.org/ -w path/to/wordlist.txt -sc OK -m POST -H "Content-Type: application/json" -pd '{"username": ""}'

Report bugs:
https://github.com/d4rckh/vaf/issues/new/choose
"""
quit(0)
quit(0)