In my constant quest to turn evil activities into useful tools I have
started the RFuzz HTTP Destroyer project (or just RFuzz until I can find
a better name).
RFuzz will eventually become a small framework that lets people write
Ruby scripts that destroy web servers. No, not so you can be a script
kiddie. So you can harden your web applications and servers against
It’s based on little bits of Ruby floating around my Mongrel
(http://mongrel.rubyforge.org) source that I use to make Mongrel cry.
Mongrel is a tough little web server because of these scripts, so I’m
now turning them into something everyone can use.
== The HttpClient
The 0.2 release features a nearly full complete and functioning HTTP
client that’s only about 183 lines of ruby code, and re-uses parts of
the Mongrel HTTP parser. This means that it’s a client that can also
validate the correctness of HTTP servers. It also means that it’s tiny,
fast, and requires you to build a C extension. If you can install
Mongrel then you can install rfuzz.
Features of the HttpClient are:
- Simple usage that let’s you configure the client object once and
- No blocks, nested exceptions, inconsistent functions, weird
parameters, or unrequested timeouts. It’s bare metal and simple.
- No threads, no timeouts, no exception handling. This is for those
who want to feel everything like an aluminum bat fighting a chain saw.
- Functions to encode and decode much of HTTP outside of the library.
- A notification plugin Notifier class so you can track the process
- All parameters are set with “data”, meaning you could load it out of
a YAML file and replay a client request or serialize the request for
- Dynamically supports any HTTP method, and even those retarded ones
that I can’t anticipate because RESTafarians decided this was a
GoodThing™ and broke the protocol by inventing “verbs”.
- Decodes all of the HTTP protocol responses cleanly and reports
parsing errors immediately.
- Tracks cookies between requests to emulate a client (has a reset).
- Cookies suck, but work well enough to thrash a Rails app.
- Body payload is supported, but no encoding done (you do this).
- Response object is just a Hash for headers with a set of additional
attributes: http_status, http_body, http_reason, http_version. This is
wired hot inside the http11_client extension so it’s fast as hell.
== Informations Available
- http://www.zedshaw.com/projects/rfuzz/ – Simple project page.
- http://www.zedshaw.com/projects/rfuzz/coverage/ – Source and rcov.
- http://pastie.caboo.se/3667 – The sample script.
- http://pastie.caboo.se/3668 – Sample script output.
== !!! WARNING !!!
This is still kind of “works for me” code. In order for the tests to
run you’ll have to fire up a rails app on localhost:3000. Doesn’t
matter what’s in it, just any one. I’ll be adding more to the test
suite so this isn’t needed.
PS. Yes I’m working on updating my blog so STFU already.