- Burp Suite
- Find bugs
How to fuzz Wasabi RPC?
- Configure RPC as mentioned here: https://docs.wasabiwallet.io/using-wasabi/RPC.html#configure-rpc
- Launch Wasabi (1.0 or 2.0)
- In this post I will use selectwallet RPC command, it can be done for anything that has parameters.
- Open Burp suite. Go to Intruder -> Positions and paste the below thing:
POST / HTTP/1.1
5. Configure payload to be inserted in the wallet name parameter.
6. Select a wordlist to be used for fuzzing. You can find few on GitHub:
7. Start the attack
8. Check details for requests and see if you find anything interesting. I could not find anything in this example however it depends on your wordlist and if there exists any bug in code.
If you find anything interesting please create an issue in https://github.com/zkSNACKs/WalletWasabi/issues/new/choose and for vulnerability: https://github.com/zkSNACKs/WalletWasabi/security/policy