QuicDrawH3
QuicDraw(H3) is A security research tool designed for fuzzing and racing HTTP/3 servers. QuicDraw implements the `Quic-Fin-Sync` on HTTP/3 (over QUIC) for race-condition testing.
Install / Use
/learn @cyberark/QuicDrawH3README
QuicDraw (H3)
-----------
QuicDraw(H3): HTTP/3 Fuzzing and Racing (Client)
-----------
_ _
(_) | | ______
__ _ _ _ _ ___ __| |_ __ __ ___ __ /\ /\___ /
/ _` | | | | |/ __/ _` | '__/ _` \ \ /\ / / / /_/ / |_ \
| (_| | |_| | | (_| (_| | | | (_| |\ V V / / __ / ___) |
\__, |\__,_|_|\___\__,_|_| \__,_| \_/\_/ \/ /_/ |____/
|_| _______
\ |QFS____| -------------------- HTTP/3
\ |_//
|_|
GitHub: https://github.com/cyberark/QuicDrawH3
License: Apache-2.0 License
Author: Maor Abutbul <CyberArk Labs>
-----------
QuicDraw is a security research tool designed for fuzzing and racing
HTTP/3 servers. QuicDraw implements the Quic-Fin-Sync on HTTP/3 (over
QUIC), for race-condition testing.
The tool was originally published as part of CyberArk Labs' research: "Racing and Fuzzing HTTP/3: Open-sourcing QuicDraw(H3)"
TOC
- QuicDraw
- QuicDraw-UI
- Contributing
- Limitations
- Known issues
- License
- Contact
Main Features
- Implements the
Quic-Fin-Syncon HTTP3 (over QUIC), for race-condition testing. - Supports fuzzing multiple requests with the
FUZZand wordlist (-wargument) mechanisms. - Custom HTTP headers functionality (
-Hargument).- Note: Custom headers are converted to lowercase since we have seen issues with some server implementations.
- Supports SSLKEYLOGFILE (
-largument) for TLS decryption/inspection via packet analyzers such as Wireshark. - Based on aioquic (http3_client)
- aioquic is a library for the QUIC network protocol in Python.
- It features a minimal TLS 1.3 implementation, a QUIC stack, and an HTTP/3 stack.
Quick Start
Prerequisite:
- python >=3.9
- pip3
Install using pip
The easiest way to install QuicDraw is to run:
pip install quicdraw
Install quicdraw-ui using pip (PyPi)
The easiest way to install QuicDraw-UI is to run:
pip install quicdraw[ui]
quicdraw-ui -h
Runninig (after pip install)
quicdraw -h
Build and install locally by cloning the source (optional)
If there are no wheels for your system or if you wish to build QuicDraw from source.
Clone the repository:
git clone https://github.com/cyberark/quicdrawh3.git
python3 -m build
pip install .\dist\quicdraw-<VERSION>.tar.gz
Install module dependencies. (You may prefer to do this within a Virtual Environment)
Usage
Print Help
quicdraw -h
Normal HTTP/3 (over QUIC) Requests
An HTTP/3 GET Request
quicdraw <https://http3_server.com/path>
An HTTP/3 POST Request
HTTP POST requests are determined by using the -d argument followed by
the HTTP POST data to be sent.
quicdraw <https://http3_server.com/path> -d '{"key":"value"}'
Log TLS Secrets to file -l SECRETS_LOG
log secrets to a file, for use with Wireshark
To inspect the traffic in wireshark: Open Wireshark → Edit → Preferences → Protocols → TLS and set "(Pre)-Master-Secret log filename" to the full path of secrets.log
Verbose logging -v
Using the verbose (-v) output will log (print) the request data to be
sent and the HTTP response content.
In the case of GET requests (no -d argument supplied), the request URL
(:path) will be logged (printed).
Testing Race-Conditions in HTTP3 applications -tr TOTAL_REQUESTS
To use the same request multiple times (using the Quic-Fin-Sync /
single-packet), use the -tr/--total-requests argument.
Note: If a WORDLIST (-w) argument is specified, this argument
(-tr TOTAL_REQUESTS) is overridden by the wordlist number of lines.
Racing example
Repeat the same request 12 times (-tr 12) (using Quic-Fin-Sync)
quicdraw <https://http3_server.com/path> -d '{"key":"value"}' -H 'Authorization: bearer eyJ...' -tr 12
Repeat the same request 12 times (-tr 12), use Quic-Fin-Sync and log (-l) TLS secrets
quicdraw <https://http3_server.com/path> -d '{"key":"value"}' -H 'Authorization: bearer eyJ...' -H 'content-type: application/json' -l /m2a/ssl_key_log_file.log -tr 12
Repeat the same request 12 times (-tr 12), use Quic-Fin-Sync, log (-l) TLS secrets, and print verbose (-v) output including HTTP response content
quicdraw <https://http3_server.com/path> -d '{"key": "value"}' -H 'Authorization: bearer eyJ...' -H 'content-type: application/json' -l /m2a/ssl_key_log_file.log -tr 12 -v
Fuzzing HTTP3 applications -d DATA -w WORDLIST
Fuzzing in QuicDraw is based on a simple concept, like other web fuzzers
(Ffuf,
Wfuzz), go over the data section
(-d), and replace any reference to the FUZZ keyword with the value
given in the wordlist (-w) as the payload.
To define fuzzing, use the wordlist (-w/--wordlist) argument with
the FUZZ keyword anywhere in the DATA (-d argument) section.
Note: If the payload (-d) does not include the FUZZ keyword, the
same data will be sent according to the number of lines in the
wordlist file.
Fuzzing Example
Use Quic-Fin-Sync, go over the data section (-d), and replace any reference to the FUZZ keyword with the value given in the wordlist file (-w) as the payload
quicdraw <https://http3_server.com/path> -w path/to/wordlist -d '{"example_key":"FUZZ"}'
QuicDraw-UI
-----------
QuicDraw-UI: HTTP/3 Request Editor - A GUI for QuicDraw(H3): HTTP/3 Fuzzing and Racing (Client)
-----------
_ _
(_) | | __ ______
__ _ _ _ _ ___ __| |_ __ __ ___ __ / / / / _/
/ _` | | | | |/ __/ _` | '__/ _` \ \ /\ / / _____ / / / // /
| (_| | |_| | | (_| (_| | | | (_| |\ V V / /____// /_/ // /
\__, |\__,_|_|\___\__,_|_| \__,_| \_/\_/ \____/___/
|_| _______
\ |QFS____| -------------------- HTTP/3
\ |_//
|_|
Install quicdraw-ui using pip (PyPi)
The easiest way to install QuicDraw-UI is to run:
pip install quicdraw[ui]
quicdraw-ui -h
Example 1: Simple HTTP/3 Request
Send a basic request to an HTTP/3 server:
quicdraw-ui https://www.cyberark.com
HTTP/3 Request Editor: 
Advanced Tab
The following options can be set by the advanced tab
Option Description
-l, --secrets-log TLS secrets file (for Wireshark)
-v, --verbose Verbose output
Results Tab:
Example 2: Fuzzing with a Wordlist
To fuzz an HTTP/3 endpoint, you need:
- A wordlist file (
-w) - contains payloads to test (one per line) - The
FUZZkeyword in your data - gets replaced by each wordlist entry
quicdraw-ui https://www.cyberark.com -w path/to/wordlist -d '{"example_key":"FUZZ"}'
The FUZZ keyword in {"example_key":"FUZZ"} will be replaced with
each line from your wordlist file.
Command-Line Options
QuicDraw-UI parameters are imported to the UI.
Option Description
-d, --data HTTP POST data (use FUZZ for wordlist
substitution)
-H, --header Custom header (repeatable)
-b, --cookie Custom cookie header
-w, --wordlist Fuzzing wordlist file
-tr, --total-requests Number of concurrent requests (race testing)
-l, --secrets-log TLS secrets file (for Wireshark)
-v, --verbose Verbose output
Note: "copy-as-curl compatible" meaning common curl arguments (-d,-H,-b) are supported by QuicDraw-UI.
Contributing
We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide
Limitations
- The
Quic-Fin-Syncis mostly effective in POST requests (using the-dargument).- GET requests will benefit from the mechanism, but according to our tests, only a few requests "fit" on a single QUIC packet.
- The fuzzing mechanism (
FUZZand--wordlist/-w) only works in POST messages data or in the GET request URL (:path) argument. - Currently, the
Related Skills
node-connect
343.1kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
90.0kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
343.1kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
343.1kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
