265 questions
0
votes
1
answer
63
views
AFL example get result
I'm trying to figure out how to use AFL, but I can't get result from simple example
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[]) {
...
2
votes
0
answers
67
views
How can I generate reusable fuzzing binaries per fuzz target in Go with coverage guidance and persistent corpus?
I'm working on a fuzzing framework in Go and currently running fuzz tests using the following command for each fuzz target:
go test -fuzz=^FuzzXYZ$ -test.fuzzcachedir=./corpus/pkg/testdata/fuzz -...
0
votes
1
answer
258
views
How to solve "Fork server handshake failed" when starting afl-fuzz with a bin-only dynamic linked program from a firmware?
I'm trying to start a fuzzing test using QEMU mode with a simple binary file named dos2unix from a Linux x86 rootfs firmware(from an IOT device).
BusyBox v1.24.2 (2019-06-25 00:47:00 UTC) multi-call ...
- 1
-2
votes
1
answer
98
views
How should I implement Fuzzing techniques presented in "The Fuzzing Book"? [closed]
I am currently reading "The Fuzzing Book" and I am trying to determine how I should apply or implement the fuzzing techniques that I have learned from the book. For instance, in the book, ...
- 21
0
votes
0
answers
59
views
Trying to learn how encoding works in Boofuzz
I'm learning Boofuzz, and it would be convenient to be able to convert between a boofuzz.Block and an arbitrary custom python object. This is especially the case when encoding. I'm hopeful this ...
0
votes
0
answers
41
views
JQF custom generator can't increase branch coverage
I use JQF+Zest for fuzzing.
Since I need to test many different classes I don't want to write a generator for each one manually, so I wrote the following simple generic generator:
package caohch1;
...
- 407
0
votes
0
answers
340
views
Fuzzing with AFL/AFL++ in persistent mode: replaying all inputs during one persistent run
I'm fuzzing a project using AFL++, and I've already found a few bugs, which I was able to reproduce, and thus they were fixed.
However, for some of the crash files, I was unable to reproduce the crash....
- 3,000
0
votes
0
answers
84
views
Syzkaller report does not make sense
I'm looking at this syzkaller report: https://groups.google.com/g/syzkaller-bugs/c/FvPFh7-dtx4/m/7Yoy6KSkAAAJ?pli=1
It finds a crash caused by some commit.
After submitting some patches, syzkaller ...
- 385
-1
votes
1
answer
135
views
How to define hypothesis strategies for custom dataclasses [closed]
I am currently using hypothesis for fuzzing my test but I then need to generate random dataclasses, and so to build strategies for each, like
# Base types
uint64 = st.integers(min_value=0, max_value=2*...
- 5,394
1
vote
0
answers
40
views
Go Fuzzing output on non failing test cases
I want to be able to see all of the fuzzed inputs to the function that is being tested.
So far I have tried using t.Log(...) t.Error(...) t.Fail(...)... none of those gave me the result that I wanted.
...
- 27
1
vote
0
answers
76
views
Is coverage info in libfuzzer block coverage or branch coverage?
I am running libfuzzer with a target. The log looks like below (an example):
#1 INITED cov: 18 ft: 15 corp: 1/1b exec/s: 0 rss: 27Mb
#15 NEW cov: 23 ft: 16 corp: 2/5b exec/s: 0 rss: 27Mb L:...
- 157
0
votes
0
answers
465
views
Fuzzing with AFL++ (how to start)
I have a simple program that will crash (using strcpy) but I am having problems trying to crash it with AFL++. I am simulating a closed source binary fuzzing.
int main(int argc, char *argv[])
{
...
- 797
0
votes
1
answer
235
views
How to use AFL to test functions with struct parameters?
I am new to fuzz. Due to the supervisor's task, I am testing a series of small functions whose parameters are structures, such as
struct Node{
int a;
float b;
}
void foo(Node node){...}
And ...
- 3
2
votes
0
answers
127
views
Code coverage relative to the entire project
I'm trying to get coverage of a go application regarding an entire project.
But I get a report that only includes those files that the tests “touch”
I have several files with golang tests:
...
- 21
1
vote
0
answers
59
views
looking for a memory efficient data structure for slightly different HTTP flows
I'm trying to create an HTTP fuzzing API in python in which I wish to store HTTP requests and responses for later analysis like searching whole content and viewing requests and responses, now as I'm ...
- 99
0
votes
0
answers
62
views
Strange behavior of global go variable in c-archive compiled library
everyone.
Right now I'm writing my "scientific work" about fuzzing and I've got a problem with something in my fuzzing lib.
I try to fuzz go-ethereum lib (specificly bn256 part of it):
go-...
0
votes
2
answers
902
views
Clang coverage generates empty default.profraw file
I am doing fuzz testing to a library and using clang coverage to obtain code coverage. This is the command I run:
m smp-fuzzer-cov
LLVM_PROFILE_FILE="/scratch/smp-fuzzer-out/default.profraw" ...
- 157
1
vote
2
answers
357
views
compile syzkaller fuzzer failed without any error or warning
I encountered an issue while compiling syzkaller (a customized version of syzkaller, based on syzkaller commit a371c43c33b6f901421f93b655442363c072d251,Compiling on this commit was successful).
When ...
- 27
0
votes
1
answer
674
views
Fuzz testing with Playwright and gremlins.js
I am trying to set up Playwright together with gremlins.js to launch what they call horde of gremlins at a web app at a particular URL.
The idea is that if the web app at this URL throws any errors ...
- 29
1
vote
0
answers
679
views
Error compilingLLVMFuzzerTestOneInput DWARF error: invalid or unhandled FORM value: 0x25
My Project consists of the following
XPDF:
build with
wget https://dl.xpdfreader.com/old/xpdf-3.02.tar.gz
tar -xvzf xpdf-3.02.tar.gz
sudo apt update && sudo apt install -y build-essential gcc
...
2
votes
0
answers
350
views
RESTler API Fuzzing Add Authentication Bearer token
I would like to fuzz my API with a Bearer token (JWT).
I have many routes on my NodeJS API with a special route /login which return a token if your username and password sent in the request body are ...
- 53
-1
votes
1
answer
422
views
Compiling CUPS with AFL++ instrumentation: "relocation R_X86_64_32 against ... can not be used when making a PIE object; recompile with -fPIE"
I am trying to compile CUPS version 2.4.2 with AFL++ instrumentation, following the instructions in part (e) of the AFL++ documentation here: https://aflplus.plus/docs/fuzzing_in_depth/#e-...
- 1
0
votes
0
answers
201
views
How to apply C++ fuzzing test on function that has nested Google protobuf arguments?
I'm trying to apply llvm fuzzer on my function which might have some very complicated nested Google protobuf as arguments to find possible crashes.
The testing code is shown below:
extern "C"...
- 183
1
vote
0
answers
239
views
QEMU-AFL: follow fork() into child
I've been scouring the AFL++ and QEMU docs for a while and I can't seem to find an answer to this question: can you instruct QEMU-AFL (AFL++'s fork of QEMU, used when running afl-fuzz -Q) to follow ...
- 88
-1
votes
1
answer
950
views
AFL++ (time out or crash)
Good day,
I did everything as in this blog written (https://alephsecurity.com/2021/11/16/fuzzing-qemu-android/) just because I want to learn to work with afl++/qemu and android native libraries
but ...
- 25
3
votes
1
answer
261
views
Issue running the RESTler image from docker hub (proc/1/stat error related)
About the official Restler image on Docker Hub, that is available with this command:
docker pull mcr.microsoft.com/restlerfuzzer/restler
I tried to run the container with docker run -it mcr.microsoft....
0
votes
0
answers
383
views
Android not executable 64-bit
I'm trying to follow this https://blog.quarkslab.com/android-greybox-fuzzing-with-afl-frida-mode.html and fuzz some app on my SM-A500FU. I rooted the device, followed every step (I hope) in the guide ...
- 1
0
votes
1
answer
426
views
Using caringcaribou to do fuzz, an unknown interface type “None” appears
I want to use caringcaribou to fuzz the vehicle can bus. I connected the pcan and then used two commands "sudo modprobe can", "sudo ip link set can0 up type can bitrate 500000", ...
- 17
2
votes
1
answer
260
views
Golang fuzzing fixed-length strings
I'm looking for a efficient way to test fixed-length strings via fuzzing (so that only the content of the string is variable, not the length).
My first idea was to use arrays for this like
f.Fuzz(func(...
- 316
1
vote
1
answer
190
views
libfuzzer heap overflow in malloc
I am trying out my hand at libfuzzer and I am facing 'heap overflow' at malloc.
The code snippet is as follows
int LLVMFuzzerTestOneInput(
const unsigned char * Data,
size_t Size
) {
...
- 525
1
vote
1
answer
256
views
What is an example of a buggy function that would be hard to find to discover the bug without fuzz testing?
I'd like to come up with a motivating example or code challenge for fuzz testing and/or property-based testing.
What I'm looking for is a concise situation where such testing is maximally critical/...
- 286
1
vote
1
answer
733
views
In the Hypothesis testing library, what is the real difference between assume and filter?
Within the Hypothesis testing library for Python, there is the "assume" function, which "marks the example as bad, rather than failing the test". If there are too many "bad&...
- 43
1
vote
1
answer
72
views
Call to ruby regex through C api from C code not working
I am trying to call ruby regex from C code:
#include <ruby.h>
#include "ruby/re.h"
int main(int argc, char** argv) {
char string[] = "regex";
ruby_setup();
...
0
votes
1
answer
40
views
Algorithm and general pseudocode to greatly cut down on the space that a char permutation takes up
Setting up a home web server on a Raspberry Pi as an education project, and I had the idea to run a URL fuzzing algorithm on it to test for vulnerabilities.
I decided on testing strings up to 32 ...
- 1
0
votes
1
answer
432
views
How to force fuzzing yield coverage data?
I'm using AFL++ 4.0c to fuzz my app. It basically wraps clang compiler too instrument my code with fuzzing shenanigans. As well I provide coverage flags:
--coverage -g -fprofile-instr-generate -...
- 529
2
votes
1
answer
396
views
How to debug go fuzzing?
I am trying to debug the fuzzing part in golang sdk (go/internal/fuzz) with GoLand, with a demo like this:
package awesomeProject1
import "testing"
func fn(s string) int {
var sum int
...
- 21
0
votes
1
answer
837
views
Corrupting CRC field of a CAN message in CAPL
I want to add some anomalies to corrupt the CRC field of the CAN message. Theoretically, the CRC is being calculated using the info from data field/ctrl field/ ARB field. How to add the CRC corruption ...
- 5
2
votes
1
answer
676
views
How to set up Web API Fuzzing in Gitlab in a repository with multiple services?
I have a repository that has multiple microservices in it. As part of that, each service has its own OpenAPI 3.0 spec.
There is only one .gitlab-ci.yaml file in the repository, but it is not clear in ...
- 392
0
votes
1
answer
927
views
AFL only explores 1 path and nothing more! ( last new path : none yet (odd, check syntax!) )
I am using AFL (version 2.57b) in a docker container (on Ubuntu 20.04) to fuzz several C programs. But the problem is, whenever I fuzz a program it does not explore more than 1 path and the output is ...
0
votes
1
answer
590
views
Generate random inputs using a fuzzer
Let me take a very small example of what I am looking for.
def add_two_numbers(x, y):
return x + y
I want to input n number of times, the random values for x and y.
Is there any python fuzzing library ...
- 11
0
votes
0
answers
78
views
How to generate Input-Data with Fuzzying for Coverage of disassembled 16bit/DOS game functions?
so im doing reverse engineering of old 16bit real mode, segment/offset dos games (much harder then porting 32bit protected mode programs)
im always using IDA 7.x, Ghidra and some other tools to help ...
- 779
-1
votes
2
answers
121
views
Is there a way to check how scan and fuzz commands work at backend in ZAP?
We have a requirement to know how commands works at backend when triggered via OWASP ZAP Tool.
This will help for data visualizing & interaction with ZAP and UI.
For example:
Commands like '...
- 509
0
votes
1
answer
677
views
How to automate fuzzing in ZAP?
We have a requirement as below to automate in ZAP
Go through POST request in ZAP tool
Identify values which got posted in Request tab
Highlight the value passed(for example: to textarea field) and ...
- 509
1
vote
1
answer
2k
views
zaproxy fuzzing hex payload processor
I'm trying to fuzz a cookie with Zaproxy. The cookie is missing one character so i made a prefix processor with the cookie md5 hash and am adding an alphanumeric character to the end..all good but the ...
1
vote
0
answers
598
views
libfuzzer Go executable crashes with "non-Go code set up signal handler without SA_ONSTACK flag"
I am using go-118-fuzz-build and some manual patching to build a libfuzzer executable from a native Go 1.18 fuzz test:
Patch the test file, replacing *testing.F with *github.com/AdamKorcz/go-118-fuzz-...
- 2,192
0
votes
0
answers
490
views
How to call/use libfuzzer for custom API?
I'am new to libfuzzer: https://llvm.org/docs/LibFuzzer.html. I took time to read the doc and googling... But I feel like I still miss basic concepts when dealing with real world examples?! Maybe I ...
- 599
0
votes
1
answer
401
views
Firmware AFL++ fuzzing fails
I want to do Iot firmware fuzzing by AFL++ on a Linux system
https://blog.attify.com/fuzzing-iot-devices-part-1/
I have done the setup according to that link. when i run
sudo QEMU_LD_PREFIX=./squashfs-...
- 113
1
vote
2
answers
976
views
Clang libFizzer for AArch64 architecture
I would like to perform some fuzz testing on a command-line application I am working on. I am on an M1 Mac, and apple developer tools does not ship clang with libFuzzer. So I followed this SO post's ...
- 135
0
votes
1
answer
257
views
RISC-V fuzzing emulation
I am new to this but I need to emulate RISC-V using qemu. As a start for my fuzzing project, how can I do give qemu an instruction set and get the changes in the registries as an output.
- 19
0
votes
1
answer
151
views
How to get floats from raw data using python or bash?
I have a file generated by an automated testing/fuzzing tool called AFL. The file represents one set of input data that can trigger a program bug in the program under test.
I know this file is ...
- 10.4k