QtFuzzer: Web Application Fuzzer

Project Overview

QtFuzzer is a Python-based web application fuzzer designed to assist in the testing and analysis of web application inputs. It provides a GUI built with the Qt6 framework, allowing users to toggle between two modes: Discover and Test. The tool is intended for ethical use and does not pose a risk of unintended denial-of-service (DOS) attacks in its current form.

Features

  • Discover Mode: Crawls web pages, identifying links and associated form inputs within the base URL scope.
  • Test Mode: Sends vectors (payloads) to identified form inputs and analyzes the responses for potential vulnerabilities.
  • Custom Authentication: Supports predefined authentication setups, such as for DVWA.
  • URL Omission: Allows users to omit specific URLs (e.g., logout pages) to prevent disruption during crawling.

Usage

The menubar functionality is under development, but users can toggle between Discover and Test modes using the main buttons.

  • Discover Mode: Performs web crawling to identify pages and inputs without sending requests.
  • Test Mode: Sends crafted payloads to inputs and analyzes responses for potential vulnerabilities.

File Inputs

Users can provide several file inputs to enhance the fuzzing process:

  • Words File: Used in guessing page names (e.g., `(Word).(Extension)`).
  • Vector File: Provides payloads for input testing.
  • Extensions File: Specifies file extensions for page guessing.
  • Starting URL: Defines the base URL for crawling.
  • URLs to Omit: Presets URLs to exclude from the crawling process (e.g., logout pages).

Future Work

  • Add a complete reporting feature for results output.
  • Enhance GUI usability and introduce menu bar functionality.
  • Enable testing of hidden API arguments using the Python Requests library.
  • Improve input handling for complex forms with multiple input dependencies (e.g., login forms).

Technologies Used

  • Python: For backend logic and input analysis.
  • Qt6 Framework: For the graphical user interface (GUI).
  • MechanicalSoup: For web crawling and page analysis.
  • Python Requests: (Planned) For crafting complex requests for API testing.