Info

Most web application testing is performed using a intermediate proxy, but I have used most and I find either they don't work due to issues with the browser you interact with or you get lost in the number of responses received by the proxy, so I wrote RequesterRaw. RequesterRaw allows the easy parsing, modification and sending of HTTP requests.

RequesterRaw is a variation of Requester. It allows for alot more flexiblity when fuzzing than Requester. The core differences are the ability to easily cope with XML/SOAP/Non standard HTTP requests, new improved HTTP request parsing engine and a wizard interface for fuzzing.

Another major difference is that you can now fuzz URL parameters for POST request which was not possible with Requester. The fuzz wizard also allows you to select an output directory for the fuzz results.

I have rewritten the fuzzing (for the third time?!). This release has new functionality, some bug fixes and should be more polished than the Requester. The brute-force fuzzing uses a Producer/Consumer model which should improve the performance using large data sets.

There are numerous bug fixes and a general tidy up of the UI. Whilst this is a first release (e.g. could have lots of bugs!), I recommend trying RequesterRaw over Requester due to all of the enhancements. This is not a replacement of Requester, since I will be updating Requester in due course.

Use to use RequesterRaw you define a fuzz marker within the data e.g. <#FUZZ|somedefaultvalue#>, where "somedefaultvalue" is the default value that is used to the analyse the results. There are buttons on the UI to insert the fuzz marker, so you just highlight the default value (if it is already with the request), then click the "Fuzz Marker" button. It is only possible to define one fuzz marker at one time, the validation should prevent more than one fuzz marker.

Thanks go to foob, who has been a massive help in testing RequesterRaw and refining the config files that hold the fuzz strings (in Fuzz.xml), and the errors strings (in Error.xml), as well as coming up with new ideas.

Features

• Configurable port
• HTTPS support
• Stores received (& parsed) cookie.
• Allows for resubmittion of cookies with requests
• Can fuzz URL parameters and POST data
• User configurable fuzz strings
• Can correctly parse and resend multipart boundary requests
• Supports NTLM authentication
• Supports Basic authentication
• Supports Negotiate authentication
• X509 certificates (in DER format)
• Auto-Redirects according to header response (to a max number of redirects!)
• Automatic User-Agent configuration
• Allows for completely manual requests so every request *should* be able cope with any request
• Bruteforce fuzzing for increment/decrement
• File input fuzzing for password bruteforcing
• Proxy support
• Multi-threaded fuzzing
• Producer/Consumer fuzz model so that fuzzing has no limits now
• Updated Fuzz.xml and Error.xml config files

Requirements

• Windows 2000, Windows XP, Windows 2003 Server (Might work on others?)
• Microsoft .NET Framework v2 

 

Screenshot