{"id":13765250,"url":"https://github.com/Teebytes/TnT-Fuzzer","last_synced_at":"2025-05-10T20:31:47.843Z","repository":{"id":26072696,"uuid":"102940847","full_name":"Teebytes/TnT-Fuzzer","owner":"Teebytes","description":"OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API.","archived":true,"fork":false,"pushed_at":"2022-12-06T15:12:22.000Z","size":382,"stargazers_count":111,"open_issues_count":11,"forks_count":26,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-21T05:42:36.289Z","etag":null,"topics":["fuzzer","fuzzing","json-api","openapi","pentesting","python","security","swagger"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Teebytes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-09-09T08:51:20.000Z","updated_at":"2025-01-22T16:35:56.000Z","dependencies_parsed_at":"2023-01-14T03:58:49.980Z","dependency_job_id":null,"html_url":"https://github.com/Teebytes/TnT-Fuzzer","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Teebytes%2FTnT-Fuzzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Teebytes%2FTnT-Fuzzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Teebytes%2FTnT-Fuzzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Teebytes%2FTnT-Fuzzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Teebytes","download_url":"https://codeload.github.com/Teebytes/TnT-Fuzzer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253480578,"owners_count":21915249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fuzzer","fuzzing","json-api","openapi","pentesting","python","security","swagger"],"created_at":"2024-08-03T16:00:35.997Z","updated_at":"2025-05-10T20:31:42.793Z","avatar_url":"https://github.com/Teebytes.png","language":"Python","readme":"\n![](docs/images/logo.jpg)\n\n[![Build Status](https://travis-ci.com/Teebytes/TnT-Fuzzer.svg?branch=master)](https://travis-ci.com/Teebytes/TnT-Fuzzer) [![Downloads](https://pepy.tech/badge/tntfuzzer/month)](https://pepy.tech/project/tntfuzzer) [![codebeat badge](https://codebeat.co/badges/baec008b-eaf2-451f-b2ff-758c0c8551f0)](https://codebeat.co/projects/github-com-teebytes-tnt-fuzzer-master) [![security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit)\n============\nTnT-Fuzzer is an OpenAPI (swagger) fuzzer written in python. It is like dynamite for your API!\n\nTnT-Fuzzer is designed to make fuzzing, robustness testing and validation of REST APIs easy and maintainable. After the fuzzer runs, the log files state the exact history of requests to reenact a crash or misuse. TnT-Fuzzer can be used\nfor penetration testing or continued testing of a service in development.\n\n## Installation\nTnT-Fuzzer shifted support away from python 2 to  **python 3.7**. If you\nneed a python 2 compatible source, lookup TnT-Fuzzer Version 1.0.0 and below.\n\n### With docker\nManual installation (see below) can be a little tricky, due to some dependencies not available for **python 3**. If you just want to \nrun the fuzzer via the commandline, the installation via docker is a fast and reliable choice. You won't even need a python installation on your system. Just run the docker build with a local tag of your choice:\n\n```\ndocker build . -t YOUR_TAG\n```\n\nThen after the build of the image is complete, running tntfuzzer in a container is as easy as the following:\n\n```\ndocker run YOUR_TAG python tntfuzzer/tntfuzzer.py --url https://petstore.swagger.io/v2/swagger.json --iterations 100 --log_all\n```\n\nThis command is equal to the command used in the examples section. For more information on use, see below.\n\n### From source\nCheckout git repository. Navigate into fresh cloned repository and install\nall dependencies needed. All dependencies are listed in requirements.txt\nand can be installed via pip:\n\n```\npip install -r requirements.txt\n```\n\nHowever, at the moment of writing this guide the PyJFuzz dependency available\nvia [pypi](https://pypi.org/) is outdated only compatible with python 2 only. So,\nwhen problems installing the PyJFuzz dependency occur, install the newest version\nof it manually and then install the other dependencies:\n\n```\ngit clone https://github.com/mseclab/PyJFuzz.git \u0026\u0026 cd PyJFuzz \u0026\u0026 python setup.py install\ncd ..\npip install -r requirements.txt\n```\n\nThen all dependencies should be met and run **tntfuzzer** with:\n\n```\npython tntfuzzer/tntfuzzer.py\n```\n\n### For Development\nThere are dependencies only needed for developing the fuzzer. These are listed\nin the requirements-dev.txt and can be installed via pip:\n\n```\npip install -r requirements-dev.txt\n```\n\n#### Testing\n\nFor testing or development, have a look at the [swagger petstore example](http://petstore.swagger.io/). A local stub\nserver can easily be generated and run locally.\n\nRun software tests using the following command:\n\n```\n$ cd tntfuzzer\n$ nosetests  tests/core/*.py tests/utils/*.py tests/*.py\n........................\n----------------------------------------------------------------------\nRan 41 tests in 0.028s\n\nOK\n```\n\n## Documentation\n\n### Examples\n\nTo get a better hang what can be done with tntfuzzer, print the usage infos:\n\n```\ntntfuzzer -h\n```\n\n![](docs/images/usage.png)\n\nThe most important parameter is the **--url**, with the URL to your OpenAPI specification json file.\n\nThe parameter **--iterations** will specifiy how often an API call will be fuzzed. If\nthe **--iterations** parameter is not specified, every API call is fuzzed only once.\n\nPer default only responses that are not documented in your Service's OpenAPI specification are logged. This way only\nundocumented errors are logged. If you want all fuzz responses to be logged, you have to specify that by\nsetting the **--log_all** parameter.\n\nIf you want to connect to servers using self-signed certificates, use the **--ignore-cert-errors**.\n\nSometimes an OpenAPI file will contain an invalid host name, or point to the wrong server. If you use the **--host**\noption you can override this without making a local copy of the file. Same happens with **--basepath** that let you\nspecify a different basepath for the API. \n\nSo following example run will fuzz every API call specified in the swagger.json with 100 permutations each. All\nresponses received from the server are logged:\n\n```\ntntfuzzer --url http://example.com:8080/v2/swagger.json --iterations 100 --log_all\n```\n\n### Log\n\nWhen run, TnT-Fuzzer logs all responses in a table on commandline:\n\n| operation | url | response code | response message | response body | curl command |\n|---|---|---|---|---|---|\n| get       | http://localhost:8080/v2/apicall | 200 | Successful Operation | {'success': true} | ```curl -XGET -H \"Content-type: application/json\" -d '{'foo': bar}' 'http://localhost:8080/v2/apicall'``` |\n","funding_links":[],"categories":["Tools"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTeebytes%2FTnT-Fuzzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FTeebytes%2FTnT-Fuzzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTeebytes%2FTnT-Fuzzer/lists"}