Fuzzgun generates mutated, invalid, random, unexpected data and exotic format from a given input string.
As a fuzzer Fuzzgun:
- is black box fuzzer (unaware of internal program structure)
- is a mutation based and aware of input structure.
- takes a string layout as its input model
It can be used by developers, security tester and quality assurance teams alike.
Fuzzgun only takes a string as input. This string can be anything you want and fuzzgun will try to work its best on it.
On Internet though, programs ingest structured inputs. So to harness a system the best inputs for fuzzgun will be string examples (or layouts) of what your systems is expecting.
For full usage, documentation and examples report to the Godoc
import (
"http"
"time"
"github.com/simcap/fuzzgun"
)
func main() {
for mutant := range fuzzgun.FuzzEvery("07/08/2018", 3 * time.Second) {
url := fmt.Sprintf("http://example.com?date=%s", mutant)
if resp, err := http.Get(url); err != nil {
panic(err)
} else if resp.StatusCode == 500 {
panic("ouch")
}
}
}If you have Golang (>= 1.10) installed, the following will fetch and install the CLI executable:
$ go get -u github.com/simcap/fuzzgun/...Otherwise grab a binary for Linux, Windows or Mac
Then to get started run:
$ fuzzgun -h
# start to mutate some stuff
$ fuzzgun -s bob@mail.net
$ fuzzgun -s http://example.com
$ fuzzgun -s 07/12/2016Fuzzgun takes as input a string layout. A layout is an string example of a structured input. Here is the basic algorithm (of my own cooking, i.e. feedback welcome) that will be applied to the input:
-
Tokenizing separates the input string into either alpha, numerical or separator tokens
-
Labelizing
- known types: marks the input after a successful detection of a known type: URL, IP address, Date, e-mail, etc.
- known encoding: marks the input after a successful detection of a known encoding: base64, URL encoding, etc.
-
Grouping extracts set of tokens using various stategy: arrangement, shifting, separators only, etc...
-
Fuzzing mutates the data in parallel given the different groups, labels, encoding, etc.
-
Generating will finalizes the fuzzed output putting back groups to original input; encoding the result if the input was detected encoded
The input is tokenized into either alpha, numerical or separator. For instance "bob@mail.net" would output: "bob" (alpha), "@" (separator), "mail" (alpha), "." (separator), "net" (alpha)
Since structured input on the internet can easily have known format, fuzzgun will labelizes the input string according to detected format: ip address, URL, date, unix timestamp
This will allows to mutate data according to known issues or valid but exotic formats.
Examples:
- detecting an IP address we can generates output such as: IPv6, IP overflow values, octal/hexadecimal, etc.
- detecting an e-mail address we can generates valid yet uncommon e-mail addresses according to RFC 5322
Grouping allows to isolate array of tokens using various strategy to be fuzzed indenpendently of others.
Basically we extract some tokens to be fuzzed while letting others in their original form. Groups will go through fuzzing and will then be re-arranged with the original string to present the final fuzzed output.
We can think of the original input string as the main group and the grouping step will basically generates subgroups.
For instance given the string "bob@mail.net", some generated group will be:
# shifting
["bob"] (group 1), ["@"] (group 2), etc.
["bob", "@"] (group 1), ["@", "mail"] (group 2), etc.
["bob", "@", "mail"] (group 1), ["@", "mail", ""] (group 2), etc.
...
# separators only
["@", "."]
For example given "bob@mail.net", the simplest group after tokenization could be ["bob"]: the group ["bob"] will then be mutated to be then re-arranged to "@mail.net".
In future versions mutated values should be fed back as input string in fuzzgun itself!