A major focus of this release is to improve pathoc's capabilities as a basic fuzzing tool. I've had fun breaking webservers with pathoc, and it's even come in handy in my Day Job. Here's a quick summary of how things have changed.
- The -x flag tells pathoc to explain its requests. This prints out an expanded pathoc query specification, with all randomly generated content and query modifications resolved. If you trigger an exception, you can precisely replay the offending query using this explanation.
- The options for outputting requests and responses have been expanded hugely. First, the -q and -r flags tell pathoc to dump complete records of requests and responses respectively. This data is sniffed by instrumenting the socket, so is canonical regardless of our ability to interpret returned data. The -x option makes pathod dump this data in hexdump format (otherwise unprintable characters are escaped to preserve your terminal).
- A number of options have been added to let you ignore expected responses. -C takes a comma-separated list of response codes to ignore. -T ignores server timeouts. This lets you hone in on the exceptional responses that you care about, and ignore the rest.
- I've simplified response specifications by making the response message a standard component with the "r" mnemonic.
- I've added the "u" mnemonic to request specifications, as a shortcut for specifying the User-Agent header:
get:/:u"My Weird User-Agent"
We also have a small library of representative User-Agent strings that can be used instead of specifying your own. For example, this specifies the GoogleBot User-Agent string:
The list of available shortcuts are in the docs, and can be listed from the commandline using the --show-uas flag to pathoc:
> ./pathoc --show-uas User agent strings: a android l blackberry b bingbot c chrome f firefox g googlebot i ie9 p ipad h iphone s safari