It started during Smart India Hackathon (SIH) 2024, when me and my team had to select a problem statement among hundreds of available options. We wanted to explore the domain of Cyber Security, so we went on a shortlisting spree and decided to go with Problem Statement No. 1750.
Quoting a part of the problem statement: "Hidden directories, virtual hosts, API endpoints, URL parameters, and subdomains can all harbour vulnerabilities that attackers might exploit. A versatile fuzzer that automates the discovery and testing of these components is essential for proactive security measures."
So we designed Web Fuzz Forge as 4 interconnected components: A Browser Extension for client-side attack simulation, a cross-platform IDE and a VS Code extension for real-time workspace monitoring, and a Web Dashboard for various kinds of fuzzing.
The Browser Extension simulates 8 common client side attacks including XSS, DOM-based XSS, Clickjacking, CSRF, IDOR, Open Redirect, Local Storage Manipulation and Excessive DOM Size. It generates a report summarizing the findings of each simulated attack.
The cross-platform IDE, built using Tauri, and the VS Code Extension, which uses the Chaukidar package, provide a simple solution for monitoring a workspace in real time and generating alerts if something potentially vulnerable is detected.
The Web Dashboard offers various fuzzing techniques including Directory Fuzzing, Parameter Fuzzing, Subdomain Fuzzing, and Virtual Host Discovery. It can automatically discover hidden directories, parameters, subdomains, and API endpoints that might be vulnerable to attacks.
Each component serves a different use case, but they all work together seamlessly, forming a complete ecosystem. We were not shortlisted for SIH finals, so the project never left the prototype stage.