fuzz_raw¶
Synchronously fuzz a raw byte payload with RawMessage-typed positions. The schema mirrors resend_raw plus a positions[] list. This is the central HTTP request smuggling and byte-level fuzzing surface -- payload bytes are NEVER normalized on the proxy side.
Unlike resend_raw, fuzz_raw makes flow_id optional and owns the from-scratch byte-injection path. When flow_id is empty, supply either override_bytes or include a payload position so each variant carries its own bytes.
This tool is synchronous: every variant runs in-process. There is no concurrency or rate limit.
Limits¶
- Maximum variants per call: 1000 (cartesian product across all positions)
Each variant is executed sequentially with a fresh dial. Per-variant SafetyFilter input gating runs before the upstream send.
Parameters¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
flow_id |
string | No | Recorded raw stream id. When empty, override_bytes or a payload position must supply the variant bytes |
|
target_addr |
string | Yes | Upstream host:port. Explicit port required |
|
use_tls |
boolean | No | false |
true to upgrade the dialled connection to TLS |
sni |
string | No | target host | SNI server name. Defaults to target_addr host portion when use_tls=true |
override_bytes |
string | No | Replacement payload interpreted per override_bytes_encoding. Mutually exclusive with patches |
|
override_bytes_encoding |
string | No | "text" |
"text" or "base64" |
override_bytes_set |
boolean | No | false |
Set true to replace with empty bytes; otherwise an empty override_bytes string is treated as no override |
patches |
array | No | Offset-based byte patches applied to the base bytes (see resend_raw for the patch shape). Used as a base for patches[N].data positions |
|
insecure_skip_verify |
boolean | No | false |
Skip TLS server certificate verification when use_tls=true |
tls_fingerprint |
string | No | Informational v1; per-call selection is deferred | |
timeout_ms |
integer | No | 30000 |
Per-variant timeout in milliseconds |
tag |
string | No | Tag stored on every variant Stream's Tags map |
|
positions |
array | Yes | Ordered position list (see below). At least one entry | |
stop_on_error |
boolean | No | false |
Abort remaining variants once any variant fails (network error, timeout, or pipeline drop) |
positions¶
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
path |
string | Yes | Typed path: payload or patches[N].data |
|
payloads |
string[] | Yes | List of values to substitute at this path. At least one element | |
encoding |
string | No | "text" |
"text" or "base64". Use "base64" for binary smuggling templates |
The payload path replaces the entire RawMessage.Bytes for the variant; it wins over the recovered/override_bytes base bytes when both are present. patches[N].data mutates input.patches[N].data for the variant, then base + patches assembly proceeds as in resend_raw.
Response¶
| Field | Type | Description |
|---|---|---|
total_variants |
integer | Total variant count |
completed_variants |
integer | Variants actually executed before completion or stop |
stopped_reason |
string | Empty when all variants ran; otherwise the stop reason |
variants |
array | Per-variant result rows (see below) |
duration_ms |
integer | Total run duration in milliseconds |
tag |
string | Echo of the supplied tag (when set) |
Each variant row:
| Field | Type | Description |
|---|---|---|
index |
integer | Variant index (zero-based) |
stream_id |
string | New stream record id |
response_size |
integer | Total response payload size in bytes |
response_chunks |
integer | Receive-direction envelope count |
truncated |
boolean | true when the receive loop hit the per-call response cap |
payloads |
object | Map of position path -> decoded payload string |
error |
string | Error message when the variant failed |
duration_ms |
integer | Per-variant duration |
Raw flows have no L7 status code, so the row exposes shape diagnostics only. Full response bytes are reachable via the query tool keyed by stream_id.
Pipeline placement¶
Each variant traverses the same self-contained PluginStepPost -> RecordStep pipeline as resend_raw (PluginStepPre is bypassed per RFC-001 §9.3).
Examples¶
Fuzz a smuggling template (from-scratch)¶
// fuzz_raw
{
"target_addr": "target.example.com:80",
"positions": [
{
"path": "payload",
"encoding": "base64",
"payloads": [
"R0VUIC8gSFRUUC8xLjENCkhvc3Q6IHRhcmdldA0KDQo=",
"UE9TVCAvIEhUVFAvMS4xDQpIb3N0OiB0YXJnZXQNCg0K"
]
}
]
}
Fuzz a single byte at offset 16¶
// fuzz_raw
{
"flow_id": "raw-abc-123",
"target_addr": "target.example.com:80",
"patches": [
{"offset": 16, "data": "X", "data_encoding": "text"}
],
"positions": [
{"path": "patches[0].data", "payloads": ["A", "B", "�", "\r"]}
]
}
Related pages¶
- resend_raw -- Raw bytes resend (single shot, requires
flow_id) - fuzz_http -- HTTP fuzz
- fuzz_ws -- WebSocket fuzz
- fuzz_grpc -- gRPC fuzz
- Fuzzer -- Fuzzer feature guide