Open in app

Sign in

Write

Sign in

Fuzzing Wasabi RPC

Prayank
Coinmonks

--

Requirements:

  1. Wasabi
  2. Burp Suite

Why fuzzing?

  • Find bugs
  • Fun

How to fuzz Wasabi RPC?

  1. Configure RPC as mentioned here: https://docs.wasabiwallet.io/using-wasabi/RPC.html#configure-rpc
  2. Launch Wasabi (1.0 or 2.0)
  3. In this post I will use selectwallet RPC command, it can be done for anything that has parameters.
  4. Open Burp suite. Go to Intruder -> Positions and paste the below thing:
POST / HTTP/1.1
Host: 127.0.0.1:37128
Content-Type: text/plain
Content-Length: 66{"jsonrpc":"2.0","id":"fuzzing","method":"selectwallet","params":["walletname"]}

5. Configure payload to be inserted in the wallet name parameter.

6. Select a wordlist to be used for fuzzing. You can find few on GitHub:

https://github.com/danielmiessler/SecLists/tree/master/Fuzzing

https://github.com/1N3/IntruderPayloads/tree/master/FuzzLists

7. Start the attack

8. Check details for requests and see if you find anything interesting. I could not find anything in this example however it depends on your wordlist and if there exists any bug in code.

If you find anything interesting please create an issue in https://github.com/zkSNACKs/WalletWasabi/issues/new/choose and for vulnerability: https://github.com/zkSNACKs/WalletWasabi/security/policy

--

--

Prayank
Coinmonks

Written by Prayank

70 Followers
Writer for

PGP: https://git.io/fjFyU