Heitor Gouvêa

Home Projects About


HTTP engine fuzzer security oriented


⚠️ Warning: Nozaki is currently in development, you’ve been warned :) and please consider contributing!

“Fuzzing is one of the most powerful and proven strategies for identifying security issues in real-world software” and for this reason, Nozaki tries to bridge the gap for a complete solution focused on web applications.

The idea is that this solution is complete enough to cover the entire fuzzing process in a web application (be it a monolith, a REST API, or even a GraphQL API) being fully parameterized, piped with other tools and with amazing filters.

Download & Install

    $ git clone https://github.com/GouveaHeitor/nozaki && cd nozaki
    $ cpan install Getopt::Long LWP::UserAgent HTTP::Request

How to use

$ perl nozaki.pl

Nozaki v0.0.7
Core Commands
	Command       Description
	-------       -----------
	--url         Define a target
	--wordlist    Define wordlist of paths
	--method      Define methods HTTP to use during fuzzing, separeted by ","
	--delay       Define a seconds of delay between requests
	--agent       Define a custom User Agent
	--return      Set a filter based on HTTP Code Response

# Example
$ perl nozaki.pl -m GET -u http://lab.nozaki.io:8002/\?read\= -w wordlists/payloads/ssrf.txt | grep "574"

[-] -> [200] | http://lab.nozaki.io:8002/?read=http://2852039166/           [GET] - OK | Length: 574
[-] -> [200] | http://lab.nozaki.io:8002/?read=http://0xA9FEA9FE/           [GET] - OK | Length: 574
[-] -> [200] | http://lab.nozaki.io:8002/?read=http://0251.0376.0251.0376/  [GET] - OK | Length: 574