{"id":25658915,"url":"https://github.com/nsecho/furlzz","last_synced_at":"2025-04-06T06:14:21.315Z","repository":{"id":194647001,"uuid":"690763851","full_name":"NSEcho/furlzz","owner":"NSEcho","description":"Fuzz iOS URL schemes","archived":false,"fork":false,"pushed_at":"2024-11-25T16:50:29.000Z","size":2870,"stargazers_count":113,"open_issues_count":5,"forks_count":11,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-30T05:09:16.809Z","etag":null,"topics":["frida","fuzzing","ios"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NSEcho.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-09-12T20:35:52.000Z","updated_at":"2025-02-24T10:41:25.000Z","dependencies_parsed_at":"2024-01-24T22:27:18.002Z","dependency_job_id":"2bab4d4c-2e97-4ca3-b83c-9d0e4f63f179","html_url":"https://github.com/NSEcho/furlzz","commit_stats":null,"previous_names":["nsecho/furlzz"],"tags_count":27,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NSEcho%2Ffurlzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NSEcho%2Ffurlzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NSEcho%2Ffurlzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NSEcho%2Ffurlzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NSEcho","download_url":"https://codeload.github.com/NSEcho/furlzz/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247441063,"owners_count":20939239,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["frida","fuzzing","ios"],"created_at":"2025-02-24T00:29:50.894Z","updated_at":"2025-04-06T06:14:21.296Z","avatar_url":"https://github.com/NSEcho.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# furlzz\n\n![Running against Telegram](telegram.png)\n\nfurlzz is a small fuzzer written to test out iOS URL schemes.\nIt does so by attaching to the application using Frida and based on the input/seed it mutates the data \nand tries to open the mutated URL. furlzz works in-process, meaning you aren't actually opening \nthe URL using apps such as SpringBoard. furlzz supports universal links which are being used with \n`scene:continueUserActivity` and `application:continueUserActivity`. On some applications it is worth trying to use `app` as method for custom links, because that \ncan work as well.\n\n# Installation\n\nDownload prebuilt binaries from [here](https://github.com/NSEcho/furlzz/releases) or do it manually.\n\nTo manually install furlzz, do:\n* Follow the instructions for devkit documented [here](https://github.com/frida/frida-go)\n* Run `go install github.com/nsecho/furlzz@latest`\n\n# Usage\n\n## Binary\n\nSimply run the binary with corresponding flags with either attaching over USB or on over the network with `-n` flag.\n\n```bash\n$ furlzz fuzz --help\nFuzz URL scheme\n\nUsage:\n  furlzz fuzz [flags]\n\nFlags:\n  -a, --app string        Application name to attach to (default \"Gadget\")\n  -b, --base string       base URL to fuzz\n  -c, --crash             ignore previous crashes\n  -d, --delegate string   if the method is scene_activity, you need to specify UISceneDelegate class\n  -f, --function string   apply the function to mutated input (url, base64)\n  -h, --help              help for fuzz\n  -i, --input string      path to input directory\n  -m, --method string     method of opening url (delegate, app) (default \"delegate\")\n  -n, --network string    Connect to remote network device (default is \"USB\")\n  -r, --runs uint         number of runs\n  -s, --scene string      scene class name\n  -t, --timeout uint      sleep X seconds between each case (default 1)\n  -u, --uiapp string      UIApplication name\n```\n\n## Docker\nStarting from `2.5.0`, furlzz now can be run inside of Docker container, for full details visit [Dockerfile.md](./Dockerfile.md) \nfor documentation.\n\nThere are basically two ways you can go with fuzzing using `furlzz`:\n\n* give base URL (`--base`) with `FUZZ` keyword in it along with `--input` directory containing inputs\n* just give base URL without `FUZZ` keyword which would fuzz the raw base url passed (less efficient)\n\nfurlzz supports two post-process methods right now; url and base64. The first one does URL \nencode on the mutated input while the second one generates base64 from it.\n\n# Fuzzing\n\n1. Figure out the method of opening URLs inside the application (with `frida-trace` for example)\n2. Find out base url\n3. Create some inputs\n4. Pass the flags to `furlzz fuzz`\n5. Most of the time, values have to be URL encoded, so use `--function url`\n6. Adjust timeout if you would like to go with slower fuzzing\n7. If the crash happen, replay it with `furlzz crash` passing created session and crash files\n\n\n\n# Mutations\n\n* `insert` - inserts random byte at random location inside the input\n* `del` - deletes random byte\n* `substitute` - substitute byte at random position with random byte\n* `byteOp` - takes random byte and random position inside the string and do arithmetic operation on them (+, -, *, /)\n* `duplicateRange` - duplicates random range inside the original string random number of times\n* `bitFlip` - flips the bit at random position inside random location inside input\n* `bitmask` - applies random bitmask on random location inside the string\n* `duplicate` - duplicates original string random number of times (2 \u003c 10)\n* `multiple` - run other mutations random number of times\n\n# URL open methods\n\nRight now furlzz supports a couple of methods of opening URLs:\n* `delegate` when the application uses `-[AppDelegate application:openURL:options:]`\n* `app` when the application is using `-[UIApplication openURL:]`\n* `scene_activity` - when the application is using `-[UISceneDelegate scene:continueUserActivity]` - Universal Links\n* `scene_context` when the application is using `-[UISceneDelegate scene:openURLContexts:]`\n* `delegate_activity` when the application is using `-[AppDelegate application:continueUserActivity:restorationHandler]` - Universal Links\n\n# Additional flags\n\n* For the method of `scene_activity` you need to pass the `UISceneDelegate` class name\n* For the method of `delegate` you need to pass the `AppDelegate` class name\n* For the method of `scene_context` you need to pass `UISceneDelegate` class name\n* For the method of `delegate_activity` you need to pass `AppDelegate` class name\n\nPRs are more than welcome to extend any functionality inside the furlzz\n\n# Crashes found\n\n* [Bear 2.0.10](https://www.ns-echo.com/posts/furlzz_fuzzing_bear.html)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnsecho%2Ffurlzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnsecho%2Ffurlzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnsecho%2Ffurlzz/lists"}