Shfz - Scenario-based fuzzing test execution tool for web applications

Overview

GitHub Workflow Status license release downloads

shfz

A scenario-based web application fuzzng tool that supports fuzz generation by genetic algorithm.

Features

  • Easy to customize fuzzing test by scripting fuzzing scenario in JavaScript / TypeScript
  • Third-party packages can be used in fuzzing scenario script
  • Genetic algorithm fuzz generation increases code coverage
  • High affinity with CI, automatically post a report to GitHub issue
  • tracer's Automatic error detection helps fix bugs

Install

Download binary from Releases page, or compile from source.

Linux (amd64)

$ curl -Lo shfz.tar.gz https://github.com/shfz/shfz/releases/download/v0.0.1/shfz_0.0.1_linux_amd64.tar.gz
$ tar -zxvf shfz.tar.gz
$ sudo mv shfz /usr/local/bin/
$ sudo chmod +x /usr/local/bin/shfz

Usage

  1. Create scenario

To run fuzzing test with this tool, you need to create a scenario (that calls http requests for the web application, with automatically embeds the fuzz in the request parameter such as username, password).

Please refer to shfz/shfzlib for how to script scenarios.

  1. Install tracer to web application (only Flask)

For genetic algorithm fuzz generation and automatic error detection, it is necessary to install the trace library shfz/shfz-flask in the web application.

Currently, the trace library is only compatible with Python Flask. (supported frameworks will be expanded in the future)

  1. shfz server

check Server

  1. shfz run

check Run

  1. Get result

check Result

Server

In order to aggregate the results of fuzzing or generate fuzz by genetic algorithm, it is necessary to start the server.

$ shfz server

By default, the http server starts on port 53653 on localhost.

This server interacts with scenario and tracer to collect fuzz and frame graph data and supports fuzz generation with genetic algorithms.

Run

After setting up the server, specify the scenario file in another terminal and execute fuzzing.

$ shfz run -f scenario.js -n 100 -p 3 -t 30
[+] Finish

options

  • -f, --file scenario file (required)
  • -n, --number total number of executions (default 1)
  • -p, --parallel number of parallel executions (default 1)
  • -t, --timeout scenario execution timeout(seconds) (default 30)

Result

You can get the result by sending a request to the server's the /data endpoints during or after fuzzing.

$ curl -s http://localhost:53653/data | jq

{
  "status": [
    {
      "name": "login",
      "UsedFuzzs": [
        {
          "id": "0000",
          "fuzz": [
            {
              "name": "user",
              "text": "abcabc"
            }
          ],
...

CI integration

You can also install shfz on your local machine and run fuzzing, but we recommend run shfz on CI.

Github Actions

check demo-webapp's fuzzing workflow

  1. Create fuzzing scenario in /fuzz directory.

https://github.com/shfz/demo-webapp/tree/main/fuzz

      - uses: actions/[email protected]
        with:
          node-version: "16"
      - name: setup fuzzing scenario
        run: |
          cd fuzz
          npm i
          ./node_modules/typescript/bin/tsc scenario.ts
          file scenario.js
  1. Setup webapp (by docker-compose).
      - name: setup webapp
        run: |
          docker-compose build
          docker-compose up -d
          docker-compose ps -a

If this webapp is created by Python Flask, install shfz/shfz-flask

Note.

If you use docker-compose to launch the webapp on Linux, you need to enable host.docker.internal.

    extra_hosts:
      - "host.docker.internal:host-gateway"

And shfztrace is initialised by fuzzUrl="http://host.docker.internal:53653"

from flask import *
from shfzflask import shfztrace

app = Flask(__name__)
shfztrace(app, fuzzUrl="http://host.docker.internal:53653")
  1. Setup shfz
      - name: setup shfz
        run: |
          wget https://github.com/shfz/shfz/releases/download/v0.0.2/shfz_0.0.2_linux_amd64.tar.gz
          tar -zxvf shfz_0.0.2_linux_amd64.tar.gz
          sudo chmod +x shfz
          ./shfz --help
  1. Run fuzzzing
      - name: run shfz server
        run: ./shfz server &

      - name: run fuzzing
        run: ./shfz run -f fuzz/scenario.js -n 100
  1. (GitHub Actions) Report result in Issue
      - name: export fuzzing report
        run: >
          curl
          -F "hash=${{ github.sha }}"
          -F "repo=${{ github.repository }}"
          -F "id=${{ github.run_id }}"
          -F "job=${{ github.job }}"
          -F "number=${{ github.run_number }}"
          -F "path=/app"
          http://localhost:53653/report > report.md
      - name: create issue
        uses: peter-evans/[email protected]
        with:
          title: shfz result
          content-filepath: ./report.md
          labels: |
            shfz
  1. Export fuzzing data to Actions Artifacts
      - name: export fuzzing data
        run: curl http://localhost:53653/data > result.json
      - name: upload artifact
        uses: actions/[email protected]
        with:
          name: result.json
          path: ./result.json
  1. Export application log to Actions Artifacts
      - name: export application log
        run: docker logs demo-webapp_app_1 > app.log
      - name: upload artifact
        uses: actions/[email protected]
        with:
          name: app.log
          path: ./app.log
Releases(v0.0.3)
Exploit for remote command execution in Golang go get command.

CVE-2018-6574 Exploit for remote command execution in Golang go get command. Introduction When you go get a package, Go is designed to build and insta

Devang Solanki 0 Oct 15, 2021
PoC for CVE-2015-1635 / MS15-034 - HTTP.sys Allows Remote Code Execution / Check & DOS

CVE-2015-1635 PoC for CVE-2015-1635 / MS15-034 - HTTP.sys Allows Remote Code Execution / Check & DOS ./MS15-034 <URL> <RESOURCE> <FLAG [0 or 18]> Note

Nikola Kipariz Stamov 0 Nov 3, 2021
A web-based testing platform for WAF (Web Application Firewall)'s correctness

WAFLab ?? WAFLab is a web-based platform for testing WAFs. Live Demo https://waflab.org/ Architecture WAFLab contains 2 parts: Name Description Langua

Microsoft 22 Jul 12, 2022
set of web security test cases and a toolkit to construct new ones

Webseclab Webseclab contains a sample set of web security test cases and a toolkit to construct new ones. It can be used for testing security scanners

Yahoo 916 Jul 12, 2022
Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228

log4shell.tools log4shell.tools is a tool allows you to run a test to check whether one of your applications is affected by a vulnerability in log4j:

Alexander Bakker 61 Aug 8, 2022
Web-Security-Academy - Web Security Academy, developed in GO

Web-Security-Academy - Web Security Academy, developed in GO

Xavier Llauca 1 Feb 23, 2022
Health-go - Web based app for health tracking and monitoring (Go port)

Health Web based app for health tracking and monitoring. Work in progress. Installation Clone the repository: git clone [email protected]:jonathantorr

Jonathan Torres 0 Dec 31, 2021
A Flask-based HTTP(S) command and control (C2) framework with a web frontend. Malleable agents written in Go and scripts written in bash.

▄▄▄▄ ██▓ █████▒██▀███ ▒█████ ██████ ▄▄▄█████▓ ▓█████▄ ▓██▒▓██ ▒▓██ ▒ ██▒▒██▒ ██▒▒██ ▒ ▓ ██▒ ▓▒ ▒██▒ ▄██▒██▒▒████ ░▓██ ░▄█ ▒▒██░ ██▒░

Ashley Nikirk 22 Aug 6, 2022
A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2021-44228.

jndi-ldap-test-server This is a minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2

Rakuten Group, Inc. 9 Aug 6, 2022
Build Go applications for IOS

go-build-for-ios Build Go applications for IOS This repository contains a PoC that lets you build any Go application for IOS platform. Cross-compilati

Marcin Tojek 20 Jul 18, 2022
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How • Install • For Security Engineers • For Developers • Documentation •

ProjectDiscovery 9.2k Aug 7, 2022
🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang

Finder Of XSS, and Dal(달) is the Korean pronunciation of moon. What is DalFox ?? ?? DalFox is a fast, powerful parameter analysis and XSS scanner, bas

HAHWUL 1.9k Aug 11, 2022
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

ZipExec ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded i

Tylous 915 Aug 11, 2022
ARP spoofing tool based on go language, supports LAN host scanning, ARP poisoning, man-in-the-middle attack, sensitive information sniffing, HTTP packet sniffing

[ARP Spoofing] [Usage] Commands: clear clear the screen cut 通过ARP欺骗切断局域网内某台主机的网络 exit exit the program help display help hosts 主机管理功能 loot 查看嗅探到的敏感信息

Re 42 Jul 22, 2022
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Yahoo 2.1k Aug 9, 2022
Open Source Web Application Firewall

DEPRECATED This repository started as a good idea but I didn't have enough time or desire to work on it. So, it's left here for historical / education

Ahmet Salih 182 Aug 4, 2022
一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档

Welcome to xray ?? 一款功能强大的安全评估工具 ✨ Demo ?? 使用文档 ⬇️ 下载地址 注意:xray 不开源,直接下载构建的二进制文件即可,仓库内主要为社区贡献的 poc,每次 xray 发布将自动打包。 ?? 快速使用 在使用之前,请务必阅读并同意 License 文件中

Chaitin Tech 7.2k Aug 11, 2022
Fast web fuzzer written in Go

/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \

null 7.5k Aug 13, 2022
Coraza WAF is a golang modsecurity compatible web application firewall library

Coraza Web Application Firewall, this project is a Golang port of ModSecurity with the goal to become the first enterprise-grade Open Source Web Application Firewall, flexible and powerful enough to serve as the baseline for many projects.

Juan Pablo Tosso 624 Aug 14, 2022