{"id":19167372,"url":"https://github.com/megamansec/privoxy","last_synced_at":"2025-04-19T23:30:52.115Z","repository":{"id":135084370,"uuid":"363531233","full_name":"MegaManSec/privoxy","owner":"MegaManSec","description":"A heavily edited version of Privoxy intended for fuzzing.","archived":true,"fork":false,"pushed_at":"2022-01-04T11:16:47.000Z","size":4722,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-02-22T23:26:06.986Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MegaManSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-05-01T23:58:37.000Z","updated_at":"2024-08-12T20:12:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"eb7c4718-d647-408e-9f3e-118fae9c4500","html_url":"https://github.com/MegaManSec/privoxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MegaManSec%2Fprivoxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MegaManSec%2Fprivoxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MegaManSec%2Fprivoxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MegaManSec%2Fprivoxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MegaManSec","download_url":"https://codeload.github.com/MegaManSec/privoxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249830834,"owners_count":21331355,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T09:37:01.972Z","updated_at":"2025-04-19T23:30:52.091Z","avatar_url":"https://github.com/MegaManSec.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Privoxy Fuzzer\n\nDuring testing of different forwarding-HTTP-proxies at [Opera Software](https://github.com/operasoftware), we heavily edited [Privoxy](https://www.privoxy.org) so that it could be fuzzed with nearly complete coverage for a single input.\n\nWhile normally it is preferable for a fuzzer to concentrate on specific sub-functionality such as response handling or input handling, we decided that Privoxy's codebase is small enough (and robust enough!) that it could handle an input which acts as both a client's request and a client's response.\n\nBy implementing a 'magic-byte' \\[\\xF8 AKA ø\\], a single input is able to act as an HTTP request and an HTTP response all in the same file, and thus a more realistic codeflow from Privoxy is obtained. In practise, this meant that an unlimited request\u003c--\u003eserver file could be created by continuously separating each segment with the ø character.\nFor example, a file could contain _GET / HTTP/1.1\\r\\nHost: host\\r\\n\\r\\nøHTTP/1.1 200 OK\\r\\n\\r\\n_ which would successfully be parsed as both a request and a response by Privoxy.\nNo hard limit was set, and interestingly, [afl++](https://github.com/AFLplusplus/AFLplusplus) was able to create a file which correctly acted as hundreds of requests and responses. Amazingly, corpus [1228](https://github.com/MegaManSec/privoxy-fuzz/blob/master/corpus/1228) has a total of 323 completely valid HTTP requests and responses generated by the fuzzer.\n\nThere were various caveats that needed to be resolved while implementing this system, namely due to how I/O streams work. More information about the actions we took can be found here: [blog](https://blogs.opera.com/security/2021/05/fuzzing-http-proxies-privoxy-part-1/).\n\nWe implemented [leak-checking](https://github.com/AFLplusplus/AFLplusplus/pull/855) into AFL++, which we then used to identify X vulnerabilities which could cause memory exhaustion via Privoxy.\n\nThe diffs between privoxy-3.0.31-stable and our fuzzing code can be found [here](https://github.com/MegaManSec/privoxy-fuzz/commits/master): there are a couple of patches (clearly labelled) to check out.\nWe also include some [corpuses](/corpus/). \n\nFinally, we include a [coverage report](https://megamansec.github.io/privoxy-fuzz/) which outlines exactly which lines of code and functions that the fuzzer (in this case, AFL++) was able to uncover.\nNearly every function which was not covered is completely unable to be fuzzed with a single input of 'request-\u003eresponse', and in some cases manual fuzzing of these functions were done (such as config file parsing).\n\nFor any adventurous readers out there, I would recommend taking a look at Privoxy's [SSL\\[1\\]](https://megamansec.github.io/privoxy-fuzz/fuzz/ssl_common.c.gcov.html) [handling\\[2\\]](https://megamansec.github.io/privoxy-fuzz/fuzz/ssl.c.gcov.html) and [network\\[1\\]](https://megamansec.github.io/privoxy-fuzz/fuzz/jbsockets.c.gcov.html) [handling\\[2\\]](https://megamansec.github.io/privoxy-fuzz/fuzz/gateway.c.gcov.html), as we did not take an in-depth look at these sections and there may be vulnerabilities to be found.\n\nIn total, 12 bugs were found:\n1) CVE-2021-20217  --- DoS\n2) CVE-2021-20272  --- DoS\n3) CVE-2021-20275  --- Buffer Overflow\n4) CVE-2021-20274 --- Null Pointer Dereferencing \n5) CVE-2021-20273  --- DoS\n6) CVE-2021-20276 --- Buffer Overflow\n7) [647353d3e6621b32696a08d66656b7c6bb8fb0a3](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=647353d3e6621b32696a08d66656b7c6bb8fb0a3) --- Undefined memcpy behavior\n8) [9788f97d68076acffc11da82a9c65f06cd661b15](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=9788f97d68076acffc11da82a9c65f06cd661b15)  --- Undefined left shift\n9) [f018685d622080d08641471be338e5e2b698d8df](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=f018685d622080d08641471be338e5e2b698d8df) --- Uninitialized byte reading\n10) [c78a3a27b574d049a155542724134f01648d7aac](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=c78a3a27b574d049a155542724134f01648d7aac) --- DoS \u0026 Buffer Overflow \u0026 Null Pointer Dereferencing (only in fuzzing mode) \n10) [88d5b57a4a639f88c937e7b22f6fe976b4380ce9](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=88d5b57a4a639f88c937e7b22f6fe976b4380ce9) -- DoS (only in fuzzing mode)\n11) [bc7cc845a82203f50e3fc5c1bd0dca01571749b9](https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=bc7cc845a82203f50e3fc5c1bd0dca01571749b9) --- Incorrect config loading\n\nA second round of fuzzing occured, looking for memory leaks. 3 issues were found:\n1) CVE-2021-44540\n2) CVE-2021-44541\n3) CVE-2021-44542\n\n\nMost of these bugs were exploitable by remote webpages, and more information about them can be found on our our [post #1](https://blogs.opera.com/security/2021/05/fuzzing-http-proxies-privoxy-part-1/) and [post #2](https://blogs.opera.com/security/2022/01/fuzzing-http-proxies-privoxy-part-3/).\n\nA big thank you to ***[Fabian Keil](https://www.fabiankeil.de/)*** for his incredibly quick patches and continued communication during this testing.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmegamansec%2Fprivoxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmegamansec%2Fprivoxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmegamansec%2Fprivoxy/lists"}