# QuicDraw
```
-----------
QuicDraw: HTTP/3 Fuzzing and Racing (Client)
-----------
_ _
__ _ _ _(_) ___ __| |_ __ __ ___ __
/ _` | | | | |/ __/ _` | '__/ _` \ \ /\ / /
| (_| | |_| | | (_| (_| | | | (_| |\ V V /
\__, |\__,_|_|\___\__,_|_| \__,_| \_/\_/
|_| _______
\ |QD ____| ---------- HTTP/3
\ |_//
|_|
GitHub: https://github.com/cyberark/quicdraw
License: Apache-2.0 License
Author: Maor Abutbul <CyberArk Labs>
-----------
```
QuicDraw is a security research tool designed for fuzzing and racing HTTP/3 servers.
QuicDraw implements the `last-bytes-sync` on HTTP/3 (over QUIC), for race-condition testing.
The tool was originally published as part of CyberArk Labs research: "TODO - BLOG link"
## Main Features
- Implements the `last-bytes-sync` on HTTP3 (over QUIC), for race-condition testing.
- Supports fuzzing multiple requests with the `FUZZ` and wordlist (`-w` argument) mechanisms.
- Custom HTTP headers functionality (`-H` argument).
- Note: Custom headers are converted to lowercase since we have seen some issues with some server implementations.
- Supports SSLKEYLOGFILE (`-l` argument) for TLS decryption/inspection via packet analyzers such as Wireshark.
- Based on aioquic (http3_client)
- [aioquic](https://github.com/aiortc/aioquic) is a library for the QUIC network protocol in Python.
- It features a minimal TLS 1.3 implementation, a QUIC stack, and an HTTP/3 stack.
# Quick Start
Prerequisite:
- python 3.x
- pip3
## Install using pip
The easiest way to install quicdraw is to run:
```
pip install quicdraw
```
### Runinig
```
quicdraw -h
```
# Contributing
We welcome contributions of all kinds to this repository.
For instructions on how to get started and descriptions of our development workflows, please see our [contributing guide](CONTRIBUTING.md)
# Limitaitions
- The `last-bytes-sync` is mostly effective in POST requests (using the `-d` argument).
- GET requests will benefit from the mechanism but according to our tests only a few requests "fit" on a single QUIC packet.
- The fuzzing mechanism (`FUZZ` and `--wordlist/-w`) only works in POST messages data **or** in the GET request URL (:path) argument.
- Currently, the fuzzing mechanism only works **once**, meaning if the data argument is supplied (`-d`), we assume fuzzzing on the POST data, supplying the `FUZZ` keyword in the URL (:path) will result in sending the URL (:path) as-is (including the `FUZZ` keyword).
- We do not support multiple different domains in the current version. (for different paths you can use the FUZZ keyword in the URL's path part).
# Known issues
- "socket.gaierror: [Errno 11001] getaddrinfo failed" error returned on DNS error
## License
Copyright (c) 2025 CyberArk Software Ltd. All rights reserved
This repository is licensed under Apache-2.0 License - see [`LICENSE`](LICENSE) for more details.
## Contact
Feel free to contact us via github issues if there are any feature requests or issues in the project
And contact us through linkedin:<br />
[Maor Abutbul](https://il.linkedin.com/in/maor-abutbul)
Raw data
{
"_id": null,
"home_page": null,
"name": "quicdraw",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": "HTTP/3, QUIC, Web, Security, Fuzzing, Fuzz, Race-Conditions, Web Security, Web Application Security, HTTP3",
"author": null,
"author_email": "Maor A <m2a2@users.noreply.github.com>",
"download_url": "https://files.pythonhosted.org/packages/32/fe/5468e4aa5072744bce056e03719139ee9cfcb7693b2ec204caca0b171c54/quicdraw-0.0.3.tar.gz",
"platform": null,
"description": "# QuicDraw\r\n\r\n```\r\n -----------\r\n QuicDraw: HTTP/3 Fuzzing and Racing (Client)\r\n -----------\r\n _ _\r\n __ _ _ _(_) ___ __| |_ __ __ ___ __\r\n / _` | | | | |/ __/ _` | '__/ _` \\ \\ /\\ / /\r\n | (_| | |_| | | (_| (_| | | | (_| |\\ V V /\r\n \\__, |\\__,_|_|\\___\\__,_|_| \\__,_| \\_/\\_/\r\n |_| _______\r\n \\ |QD ____| ---------- HTTP/3\r\n \\ |_//\r\n |_|\r\n\r\n GitHub: https://github.com/cyberark/quicdraw\r\n License: Apache-2.0 License\r\n Author: Maor Abutbul <CyberArk Labs>\r\n -----------\r\n```\r\n\r\nQuicDraw is a security research tool designed for fuzzing and racing HTTP/3 servers.\r\nQuicDraw implements the `last-bytes-sync` on HTTP/3 (over QUIC), for race-condition testing.\r\n\r\nThe tool was originally published as part of CyberArk Labs research: \"TODO - BLOG link\"\r\n\r\n## \u00a0Main Features\r\n\r\n- Implements the `last-bytes-sync` on HTTP3 (over QUIC), for race-condition testing.\r\n- Supports fuzzing multiple requests with the `FUZZ` and wordlist (`-w` argument) mechanisms.\r\n- Custom HTTP headers functionality (`-H` argument).\r\n - Note: Custom headers are converted to lowercase since we have seen some issues with some server implementations.\r\n- Supports SSLKEYLOGFILE (`-l` argument) for TLS decryption/inspection via packet analyzers such as Wireshark.\r\n- Based on aioquic (http3_client)\r\n - [aioquic](https://github.com/aiortc/aioquic)\u00a0is a library for the QUIC network protocol in Python.\r\n - It features a minimal TLS 1.3 implementation, a QUIC stack, and an HTTP/3 stack.\r\n\r\n# Quick Start\r\n\r\nPrerequisite:\r\n\r\n- python 3.x\r\n- pip3\r\n\r\n## Install using pip\r\n\r\nThe easiest way to install quicdraw is to run:\r\n\r\n```\r\npip install quicdraw\r\n```\r\n\r\n### Runinig\r\n\r\n```\r\nquicdraw -h\r\n```\r\n\r\n# Contributing\r\n\r\nWe welcome contributions of all kinds to this repository.\r\nFor instructions on how to get started and descriptions of our development workflows, please see our [contributing guide](CONTRIBUTING.md)\r\n\r\n# Limitaitions\r\n\r\n- The `last-bytes-sync` is mostly effective in POST requests (using the `-d` argument).\r\n \u00a0 \u00a0 - GET requests will benefit from the mechanism but according to our tests only a few requests \"fit\" on a single QUIC packet.\r\n- The fuzzing mechanism (`FUZZ` and `--wordlist/-w`) only works in POST messages data **or** in the GET request URL (:path) argument.\r\n- Currently, the fuzzing mechanism only works **once**, meaning if the data argument is supplied (`-d`), we assume fuzzzing on the POST data, supplying the `FUZZ` keyword in the URL (:path) will result in sending the URL (:path) as-is (including the `FUZZ` keyword).\r\n- We do not support multiple different domains in the current version. (for different paths you can use the FUZZ keyword in the URL's path part).\r\n\r\n# Known issues\r\n\r\n- \"socket.gaierror: [Errno 11001] getaddrinfo failed\" error returned on DNS error\r\n\r\n## License\r\n\r\nCopyright (c) 2025 CyberArk Software Ltd. All rights reserved\r\nThis repository is licensed under Apache-2.0 License - see [`LICENSE`](LICENSE) for more details.\r\n\r\n## Contact\r\n\r\nFeel free to contact us via github issues if there are any feature requests or issues in the project\r\nAnd contact us through linkedin:<br />\r\n[Maor Abutbul](https://il.linkedin.com/in/maor-abutbul)\r\n",
"bugtrack_url": null,
"license": null,
"summary": "QuicDraw Fuzzing and Racing HTTP/3 (over QUIC)",
"version": "0.0.3",
"project_urls": {
"Homepage": "https://github.com/cyberark/QuicDraw",
"Issues": "https://github.com/cyberark/QuicDraw/issues"
},
"split_keywords": [
"http/3",
" quic",
" web",
" security",
" fuzzing",
" fuzz",
" race-conditions",
" web security",
" web application security",
" http3"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "b970eb4b352a010d381786a4319958e700345131de816874d2f60d0a51a68fd7",
"md5": "9a34a4a12a82c0c9a854c765f0012f7b",
"sha256": "da6eeb1d70b48079235f38ea3585ee8c13b1c6b2ae05f4a101f0f2fcefbfda4f"
},
"downloads": -1,
"filename": "quicdraw-0.0.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "9a34a4a12a82c0c9a854c765f0012f7b",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 13707,
"upload_time": "2025-08-27T13:00:19",
"upload_time_iso_8601": "2025-08-27T13:00:19.733515Z",
"url": "https://files.pythonhosted.org/packages/b9/70/eb4b352a010d381786a4319958e700345131de816874d2f60d0a51a68fd7/quicdraw-0.0.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "32fe5468e4aa5072744bce056e03719139ee9cfcb7693b2ec204caca0b171c54",
"md5": "5f9fe7ca91f579d6c4895cc534933268",
"sha256": "573e2858ca0c14c5b0938c6c5e87d34639635a9f8525650f8b949d2ddbfdeec8"
},
"downloads": -1,
"filename": "quicdraw-0.0.3.tar.gz",
"has_sig": false,
"md5_digest": "5f9fe7ca91f579d6c4895cc534933268",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 14375,
"upload_time": "2025-08-27T13:00:20",
"upload_time_iso_8601": "2025-08-27T13:00:20.792276Z",
"url": "https://files.pythonhosted.org/packages/32/fe/5468e4aa5072744bce056e03719139ee9cfcb7693b2ec204caca0b171c54/quicdraw-0.0.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-08-27 13:00:20",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "cyberark",
"github_project": "QuicDraw",
"github_not_found": true,
"lcname": "quicdraw"
}
JSON
