search

diogoleitao / fenixfuzz

A grey-box fuzzer for FenixEdu
MIT License
0 stars 0 forks source link

readme

FenixFuzz

FenixFuzz is a software fuzzer for IST's FenixEdu system, developed within the scope of a MSc thesis. The main goal is to integrate this tool in the FenixEdu's development and build process, so that bugs are spotted earlier.

Dependencies

pip3 install beautifulsoup4
pip3 install rstr

Overview

  1. FenixFuzz logs in through a local instance of FenixEdu with a given user and crawls every page it can reach;
  2. For each page, retrieves its forms and fills them with fuzz patterns, either using generation-based or mutation-based fuzzing (see Configuring FenixFuzz);
  3. After filling each form, the fuzzer submits it and saves the result.
  4. Once it goes through all the forms that were found, the results are printed.

Configuring FenixFuzz

The fuzzer's many properties and settings are configured via the config/fenixfuzz.properties file, which should be modified accordingly to each usage. Each one of the file's entries is explained below.

minimum/maximum: minimum/maximum size of the fuzz patterns to be generated. Each value should be greater than 0.

minimum = 1
maximum = 20

charset: charset to be used when the fenixfuzz_model file has no rules at all, as a fallback value or as a starting point for fields that are not covered by the rules in the JSON file. Accepted values are all (Python's printable characters), no-white, alpha, char and num.

charset = alpha

user: user ID used to log in the application. Different types of users will allow the fuzzer to crawl different parts of FenixEdu, thus testing fewer or more of its forms.

user = ist123456

__url_patterns__: path to JSON file containing an object with two lists: all the URLs that should be ignored during the crawling phase and URLs that should only be visited once. The first list is to prevent the fuzzer from crawling URLs that may invalidate the current cookie data (logout pages or similar) or file URLs (such as PDFs), which can't be fuzzed; the second list is for links of pages which provide the same type of information (e.g. room scheduling, student information) and need only to be visited once.

url_patterns = config/url_patterns.json

__fenixfuzz_model__: path to JSON file containing a set of rules (regular expressions, or similar) that describe what is to be generated when a certain field name pattern is found. For example, if a field's name is email, then a possible rule for it could be [a-zA-Z]+\@tecnico.ulisboa.pt".

fenixfuzz_model = config/ffm.json

__local_instance__: complete URL of the local running instance.

local_instance = http://localhost:8080/fenix

__login_endpoint__: local API's endpoint to where the login data is sent.

login_endpoint = /api/bennu-core/profile/login