{"id":29592937,"url":"https://github.com/Zigrin-Security/CakeFuzzer","last_synced_at":"2025-07-20T06:04:14.163Z","repository":{"id":160351947,"uuid":"621387225","full_name":"Zigrin-Security/CakeFuzzer","owner":"Zigrin-Security","description":"Cake Fuzzer is a project that is meant to help automatically and continuously discover vulnerabilities in web applications created based on specific frameworks with very limited false positives.","archived":false,"fork":false,"pushed_at":"2025-07-08T11:31:36.000Z","size":282,"stargazers_count":99,"open_issues_count":1,"forks_count":7,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-07-08T12:42:36.148Z","etag":null,"topics":["cybersecurity","dast","hacking","iast","sast"],"latest_commit_sha":null,"homepage":"https://zigrin.com/tools/cake-fuzzer/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Zigrin-Security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"contributing.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-03-30T15:00:59.000Z","updated_at":"2025-07-08T11:31:40.000Z","dependencies_parsed_at":"2025-07-08T12:31:32.313Z","dependency_job_id":"196eb5de-d54f-4d91-be19-83cf3b478f25","html_url":"https://github.com/Zigrin-Security/CakeFuzzer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Zigrin-Security/CakeFuzzer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zigrin-Security%2FCakeFuzzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zigrin-Security%2FCakeFuzzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zigrin-Security%2FCakeFuzzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zigrin-Security%2FCakeFuzzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Zigrin-Security","download_url":"https://codeload.github.com/Zigrin-Security/CakeFuzzer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zigrin-Security%2FCakeFuzzer/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266076035,"owners_count":23872729,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","dast","hacking","iast","sast"],"created_at":"2025-07-20T06:02:19.443Z","updated_at":"2025-07-20T06:04:14.148Z","avatar_url":"https://github.com/Zigrin-Security.png","language":"Python","readme":"CakeFuzzer\n===============\n\n**Latest release**: 1.0\u003cbr\u003e\n**License**: GNU GPL v3.0\u003cbr\u003e\n\nCake Fuzzer is a project that is meant to help automatically and continuously discover vulnerabilities in web applications created based on specific frameworks with very limited false positives. Currently it is implemented to support the Cake PHP framework.\n\nIf you would like to learn more about the research process check out this article series: [CakePHP Application Cybersecurity Research](https://zigrin.com/cakephp-application-cybersecurity-research-white-box-penetration-testing-in-action/)\n\n# 🏆 Bugs reported 🏆\nBelow is a list of some of the bugs discovered by Cake Fuzzer:\nTitle | Severity | Link\n--- | --- | ---\nBlind SQL injection in Cerebrate | 9.8 Critical | https://zigrin.com/advisories/cerebrate-blind-sql-injection/\nSQL injection in CRUD component | 8.8 High | https://zigrin.com/advisories/misp-sql-injection-in-crud-component/\nDOM-based XSS | 6.1 Medium | https://zigrin.com/advisories/misp-dom-based-xss/\nBlind SQL injection in order parameter | 8.8 High | https://zigrin.com/advisories/misp-blind-sql-injection-in-order-parameter/\nBlind SQL injection in array input parameters | 8.8 High | https://zigrin.com/advisories/misp-blind-sql-injection-in-array-input-parameters/\nTime-based SQL injection in /Logs/index | 7.2 High | https://zigrin.com/advisories/misp-time-based-sql-injection-in-logs-index/\n\n\n# Project goals\nTypical approaches to discovering vulnerabilities using automated tools in web applications are:\n- Static Application Security Testing (SAST) – Method that involves a scanner detecting vulnerabilities based on the source code without running the application\n- Dynamic Application Security Testing (DAST) – Method that incorporates a vulnerability scanner that attacks the running application and identifies the vulnerabilities based on the application responses\n\nBoth methods have disadvantages. SAST results in a high percentage of false positives – findings that are either not vulnerabilities or not exploitable vulnerabilities. DAST results in fewer false positives but discovers fewer vulnerabilities due to the limited information. It also requires some knowledge about the application and a security background of a person who runs a scan. This often comes with a custom scan configuration per application to work properly.\n\nThe Cake Fuzzer project is meant to combine the advantages of both approaches and eliminate the above-mentioned disadvantages. This approach is called Interactive Application Security Testing (IAST).\n\nThe goals of the project are:\n\n- Create an automated process of discovering vulnerabilities in applications based on the CakePHP Framework\n- No application knowledge requirement or pre-configuration of the web application\n- Result with minimal or close to 0 amount of false positives\n- Require minimal security knowledge to run the scanner\n\nNote: Some classes of vulnerabilities are not the target of the Cake Fuzzer, therefore Cake Fuzzer will not be able to detect them. Examples of those classes are business logic vulnerabilities and access control issues.\n\n# Architecture\n## Overview\n![Cake Fuzzer architecture overview](docs/arch.png \"Cake Fuzzer architecture\")\n\nDrawio: [Cake Fuzzer Architecture](docs/arch.drawio)\n\nCake Fuzzer consists of 3 main (fairly independent) servers that in total allow for dynamic vulnerability testing of CakePHP allications.\n- AttackQueue - Scheduling and execution of attack scenarios.\n- Monitors - Monitoring of given entities (executor outputs / file contents / processes / errors ).\n- Registry - Storage and classification of found vulnerabilities.\nThey run independently. AttackQueue can add new scanners to monitors, and Monitors can schedule new attacks (eg based on found vulnerability to further attack application).\n\nOther components include:\n- Fuzzer - defines and schedules attacks to AttackQueue (serves as entry)\n- Configuration - sets up application dependent info (eg. path to CakePHP application)\n- Instrumentation - based on configuration defines changes to the application / os to prepare the ground for attacks.\n\n## Approach\n\nCake Fuzzer is based on the concept of Interactive Application Security Testing (IAST). It contains a predefined set of attacks that are randomly modified before the execution. Cake Fuzzer has the knowledge of the application internals thanks to the Cake PHP framework therefore the attacks will be launched on all possible entry points of the application.\n\nDuring the attack, the Cake Fuzzer monitors various aspects of the application and the underlying system such as:\n- network connection,\n- file system,\n- application response,\n- error logs.\n\nThese sources of information allow Cake Fuzzer to identify more vulnerabilities and report them with higher certainty.\n\n# Requirements\n- CakePHP Web Application installed, configured, and running. Example CakePHP web applications: MISP (https://github.com/MISP/MISP), Cerebrate (https://github.com/cerebrate-project/cerebrate)\n- PHP CLI\n\n## Development environment using MISP on VMWare virtual machine\nThe following section describes steps to setup a Cake Fuzzer development environment where the target is outdated MISP v2.4.146 that is vulnerable to CVE-2021-41326.\n\n### Requirements\n- VMWare Workstation (Other virtualization platform can be used as long as they support sharing/mounting directories between host and guest OS)\n\n### Steps\nRun the following commands on your host operating system to download an outdated MISP VM:\n```bash\ncd ~/Downloads # Or wherever you want to store the MISP VM\nwget https://vm.misp-project.org/MISP_v2.4.146@0c25b72/MISP_v2.4.146@0c25b72-VMware.zip -O MISP.zip\nunzip MISP.zip\nrm MISP.zip\nmv VMware/ MISP-2.4.146\n```\n\nConduct the following actions in VMWare GUI to prepare sharing Cake Fuzzer files between your host OS and MISP:\n1. Open virtual machine in VMWare and go to \u003e Settings \u003e Options \u003e Shared Folders \u003e Add.\n2. Mount directory where you keep Cake Fuzzer on your host OS and name it cake_fuzzer on the VM.\n3. Start the VM.\n4. Note the IP address displayed in the VMWare window after MISP fully boots up.\n\nRun the following commands on your host OS (replace `MISP_IP_ADDRESS` with previously noted IP address):\n```bash\nssh-copy-id misp@MISP_IP_ADDRESS\nssh misp@MISP_IP_ADDRESS\n```\n\nOnce you SSH into the MISP run the following commands (in MISP terminal) to finish setup of sharing Cake Fuzzer files between host OS and MISP:\n```bash\nsudo apt update\nsudo apt-get -y install open-vm-tools open-vm-tools-desktop\nsudo apt-get -y install build-essential module-assistant linux-headers-virtual linux-image-virtual \u0026\u0026 sudo dpkg-reconfigure open-vm-tools\nsudo mkdir /cake_fuzzer # Note: This path is fixed as it's hardcoded in the instrumentation (one of the patches)\nsudo vmhgfs-fuse .host:/cake_fuzzer /cake_fuzzer -o allow_other -o uid=1000 -o max_write=61440\n# max_write fixes weird file copy bug: https://github.com/vmware/open-vm-tools/issues/437#issuecomment-669663891\nls -l /cake_fuzzer # If everything went fine you should see content of the Cake Fuzzer directory from your host OS. Any changes on your host OS will be reflected inside the VM and vice-versa.\n```\n\nPrepare MISP for simple testing (in MISP terminal):\n```bash\nCAKE=/var/www/MISP/app/Console/cake\nSUDO='sudo -H -u www-data'\n$CAKE userInit -q\n$SUDO $CAKE Admin setSetting \"Security.password_policy_length\" 1\n$SUDO $CAKE Admin setSetting \"Security.password_policy_complexity\" '/.*/'\n$SUDO $CAKE Password admin@admin.test admin --override_password_change\n```\n\nFinally instal Cake Fuzzer dependencies and prepare the venv (in MISP terminal):\n```bash\nsource /cake_fuzzer/precheck.sh\n```\n\n\n## Contribution to Vulnerability Database\nCake Fuzzer scans for vulnerabilities that inside of `/cake_fuzzer/strategies` folder. \n\nTo add a new attack we need to add a new `new-attack.json` file to `strategies` folder.\nEach vulnerability contains 2 major fileds:`Scenarios` and `Scanners`. Scenarios where attack payloads base forms stored. Scanners in the other hand detecting regex or pharases for response, stout, sterr, logs, and results.\n\n#### Creating payload for `Scenarios`\nTo create a payload first you need to have the understanding of the vulnerability and how to detect it with as few payloads as possible. \n\n- While constructing the scenario you should think of as most generic payload as possible. However, the more generic payload, the more chances are that it will produce false-positives.\n\n- It is preferable to us a canary value such as`__cakefuzzer__new-attack_§CAKEFUZZER_PAYLOAD_GUID§__` in your scenarios.\nCanary value contains a fixed string (for example: `__cakefuzzer__new-attack_`) and a dynamic identifier that will be changed dynamically by the fuzzer (GUID part `§CAKEFUZZER_PAYLOAD_GUID§`). First canary part is used to ensure that payload is detected by `Scanners`. Second canary part, the GUID is translated to pseudo-random value on every execution of your payload. So whenever your payload will be injected into the a parameter used by the application, the canary will be changed to something like this: `__cakefuzzer__new-attack_8383938__`, where the `8383938` is unique across all other attacks.\n\n#### Detecting and generating `Scanners`\nTo create a scanner, first you need to understand how may the application behave when the vulnerability is triggered. There are few scanner types that you can use such as response, sterr, logs, files, and processes. Each scanner serves a different purpose. \n\nFor example when you building a scanner for an XSS, you will look for the indication of the vulnerability in the HTML response of the application. You can use `ResultOutputScanner` scanner to look for canary value and payload. In other hand SQL Injection vulnerabilities could be detected via error logs. For that purpose you can use `LogFilesContentsScanner` and `ResultErrorsScanner`. \n\n- One of the important points of creating a scanner is finding a regular expression or a pharase that does not catch false-positive values. If you want to contribute a new vulnerability, you should ensure that there is no false-positive by using the new vulnerability in scans.\n- Last attribute of these `Scanner` regular expressions is generating an efficent regex. Avoid using regex that match all cases `.*` or `.+`. They are very time consuming and drasticly increase the time required to finish the entire scan.\n\n#### Efficiency\nAs mentioned before efficiency is important part of the vulnerabilities. Both `Scenarios` and `Scanners` should include as few elements as possible. This is because Cake Fuzzer executes every single scenario in all possible detected paths multiple times. On the other hand, all responses, new log entries, etc. are constantly checked by the Scanners. There should be a lot of parameters, paths, and end-points detected and therefore using more payload or `Scanner` affects the efficiency quite a lot.\n\n### Removing Specific Vulnerability\nIf do not want to scan a specific vulnerability class, remove specified json file from the `strategies` folder, clean the database and run the fuzzer again.\n\nFor example if you do not want to scan your applicaiton for SQL Injection vulnerabilities, do the following steps:\n\nFirst of all remove already prepared attack scenarios. To achive this delete all files inside of the `/cake_fuzzer/databases` folder:\n```\nrm  /cake_fuzzer/databases/*\n```\n\nAfter that remove the `sqlinj.json` file from the `/cake_fuzzer/strategies`\n```\nrm /cake_fuzzer/strategies/sqlinj.json\n```\n\nFinally re-run the fuzzer and all cake_fuzzer running proccess without any SQL Injection attack executed.\n\n\n# PoC Usage\n\n## Installation\n### Clone respository\n```\ngit clone https://github.com/Zigrin-Security/CakeFuzzer /cake_fuzzer\n```\n\u003e **Warning**\n\u003e Cake Fuzzer won't work properly if it's under different path than `/cake_fuzzer`. Keep in mind that it has to be placed under the root directory of the file system, next `/root`, `/tmp`, and so on.\n\n### Change directory to respository\n```bash\ncd /cake_fuzzer\n```\n\n### Venv\nEnter virtual environment if you are not already in:\n```bash\nsource /cake_fuzzer/precheck.sh\n```\nOR\n```bash\nsource venv/bin/activate\n```\n\n## Configuration\n```bash\ncp config/config.example.ini config/config.ini\n```\n\nConfigure config/config.ini:\n```ini\nWEBROOT_DIR=\"/var/www/html\"         # Path to the tested applications `webroot` directory\nCONCURRENT_QUEUES=5                            # [Optional] Number of attacks executed concurretnly at once\nONLY_PATHS_WITH_PREFIX=\"/\"                      # [Optional] Fuzzer will generates only attacks for attacks starting with this prefix\nEXCLUDE_PATHS=\"\"                                # [Optional] Fuzzer will exlude from scanning all paths that match this regular expression. If it's empty, all paths will be processed\nPAYLOAD_GUID_PHRASE=\"§CAKEFUZZER_PAYLOAD_GUID§\" # [Optional] Internal keyword that is substituted right before attack with unique payload id\nINSTRUMENTATION_INI=\"config/instrumentation_cake4.ini\" # [Optional] Path to custom instrumentations of the application.\n```\n\n## Execution\n### Start component processes\n\n\u003e **Warning**\n\u003e During the Cake Fuzzer scan, multiple functionalities of your application will be invoked in uncontrolled manner multiple times. This may result issuing connections to external services your application is connected to, and pulling or pushing data from/to it. It is highly recommended to run Cake Fuzzer in isolated controlled environment without access to sensitive external services.\n\n\u003e **Note**\n\u003e Cake Fuzzer bypass blackholing, CSRF protections, and authorization. It sends all attacks with privileges of a first user in the database. It is recommended that this user has the highest permissions.\n\n\nThe application consists of several components.\n\n\u003e **Warning**\n\u003e All cake_fuzzer commands have to be executed as root.\n\nBefore starting the fuzzer make sure your target application is fully instrumented:\n```bash\npython cake_fuzzer.py instrument check\n```\n\nIf there are some unapplied changes apply them with:\n```bash\npython cake_fuzzer.py instrument apply\n```\n\nTo run cake fuzzer do the following (It's recommended to use at least 3 separate terminal):\n```bash\n# First Terminal\npython cake_fuzzer.py run fuzzer                  # Generates attacks, adds them to the QUEUE and registers new SCANNERS (then exits)\npython cake_fuzzer.py run periodic_monitors       # Responsible for monitoring (use CTRL+C to stop \u0026 exit at the end of the scan)\n\n# Second terminal\npython cake_fuzzer.py run iteration_monitors     # Responsible for monitoring (use CTRL+C to stop \u0026 exit at the end of the scan)\n\n# Third terminal\npython cake_fuzzer.py run attack_queue            # Starts the ATTACK QUEUE (use CTRL+C to stop \u0026 exit at the end of the scan)\n\n# Once all attacks are executed\npython cake_fuzzer.py run registry                # Generates `results.json` based on found vulnerabilities\n```\n\nNote: There is currently a bug that can change the owner of logs (or any other dynamically changed filies of the target web app).\nThis may cause errors when normally using the web application or even false-negatives on future Cake Fuzzer executions.\nFor MISP we recommend running the following after every execution of the fuzzer:\n```bash\nsudo chown -R www-data:www-data /var/www/MISP/app/tmp/logs/\n```\n\nOnce your scan finishes revert the instrumentation:\n```bash\npython cake_fuzzer.py instrument revert\n```\n\n## To Run Again\nTo run cake fuzzer again, do the following:\n\nDelete Applications Logs (as an example to this, MISP logs stored `/var/www/MISP/app/tmp/logs`)\n```\nrm  /var/www/MISP/app/tmp/logs/*\n```\n\nDelete All Files Inside of `/cake_fuzzer/databases` folder\n```\nrm  /cake_fuzzer/databases/*\n```\n\nDelete `cake_fuzzer/results.json`file (Firstly do not forget to save or examine previous scan resulst)\n```\nrm  /cake_fuzzer/results.json\n```\n\nFinally follow previous running proccess again with 3 terminals\n\n\n# FAQ / Troubleshooting\n### Attack Queue seems like doing nothing\nAttack queue marks executed attacks in the database as 'executed' so to run whole suite again you need to remove the database and add attacks again.\n\nMake sure to kill monitors and attack queues before removing the database.\n```\nrm database.db*\npython cake_fuzzer.py run fuzzer\npython cake_fuzzer.py run attack_queue\n```\n\n### Target app does not save logs to log files\nThis is likely due to the fact that the previous log files were overwritten by root. Cake Fuzzer operates as root so new log files will be created with the root as the owner. Remove them:\n```\nchmod -R a+w /var/www/MISP/app/tmp/logs/*\n```\n\n### No files in /cake_fuzzer dir of a VM after a reboot\nIf you use VM with sharing cake fuzzer with your host machine, make sure that the host directory is properly attached to the guest VM:\n```\nsudo vmhgfs-fuse .host:/cake_fuzzer /cake_fuzzer -o allow_other -o uid=1000\n```\n\n### Target app crashes after running Cake Fuzzer\nCake Fuzzer has to be located under the root directory of the machine and the base directory name should be `cake_fuzzer` specificaly.\n```bash\nmv CakeFuzzer/ /cake_fuzzer\n```\n\n### \"Patch\" errors while runing `instrument apply`\nInstrumentation proccess is a part of Cake Fuzzer execution flow. When you run `instrument apply` followed by `instrument check`, both of these commands should result in the same number of changes.\n\n\nIf you get any \"patch\" error you could apply patches manually and delete problematic patch file. Patches are located under the `/cake_fuzzer/cakefuzzer/instrumentation/pathces` directory.\n\n\n### Dependency errors\nWhile installing or running if you have python dependency error, manuallay install dependencies after switching to virtual environment.\n\nFirst switch to the virtual environment\n```bash\nsource venv/bin/activate\n```\n\nAfter that you can install dependecies with pip3.\n```bash\npip3 install -r requriments.txt\n```\n\n# Credits\n\n## Inspiration\nThis project was inspired by:\n- Automatic Detection of Vulnerabilities in Web Applications using Fuzzing by Miguel Filipe Beatriz – https://fenix.tecnico.ulisboa.pt/downloadFile/563345090413029/ExtendedAbstract-MEICA-67039-MiguelBeatriz.pdf\n- WPGarlic by Krzysztof Zając – https://github.com/kazet/wpgarlic\n\n## Commision\nThis project was commissioned by:\n![Cake Fuzzer Luxembourg Armed Forces](docs/luxembourg-armed-forces.svg \"Luxembourg Armed Forces\")\n\n## Initial contributors\n- [Dawid Czarnecki](https://github.com/dawid-czarnecki/) (original author)\n- [Adam Bobowski](https://github.com/Bobowski) (lead developer)\n- [@Kattorne](https://github.com/Kattorne)\n- [Ulaş Deniz İlhan](https://github.com/denizilhan)","funding_links":[],"categories":["Web","IAST"],"sub_categories":["Scanning / Pentesting"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FZigrin-Security%2FCakeFuzzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FZigrin-Security%2FCakeFuzzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FZigrin-Security%2FCakeFuzzer/lists"}