Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/c0nrad/http2fuzz
HTTP/2 fuzzer written in Golang
https://github.com/c0nrad/http2fuzz
Last synced: 2 months ago
JSON representation
HTTP/2 fuzzer written in Golang
- Host: GitHub
- URL: https://github.com/c0nrad/http2fuzz
- Owner: c0nrad
- License: bsd-3-clause
- Created: 2015-11-06T19:44:07.000Z (almost 9 years ago)
- Default Branch: master
- Last Pushed: 2016-06-12T18:58:48.000Z (over 8 years ago)
- Last Synced: 2024-06-25T09:41:41.185Z (3 months ago)
- Language: Go
- Size: 1010 KB
- Stars: 176
- Watchers: 14
- Forks: 31
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-http2 - http2fuzz - Semi-intelligent fuzzer built on Go. (Categories / Command Line Tools)
README
# http2fuzz (No longer under development)
HTTP2 fuzzer built in Golang.
![Fuzzer](/docs/http2fuzz.gif)
## Usage
$ make build
$ ./http2fuzz --help
Usage of ./http2fuzz:
-fuzz-delay=100: number of milliseconds to wait between each request per strategy
-listen="0.0.0.0": interface to listen from
-port="8000": port to listen from
-restart-delay=10: number a milliseconds to wait between broken connections
-target="": HTTP2 server to fuzz in host:port format
$ ./http2fuzz --target "localhost:443"## Description
http2fuzz is a semi-intelligent fuzzer. It knows how to build valid http2 frames of each type (Pings/Data/Settings etc).
While it's subject to change, the core idea will be the same. The code instantiates 'fuzzer' objects. These fuzzer objects each control one TLS connection, and each fuzzer kicks off a couple of fuzzing strategies.
For example, one of the fuzzer kicks off three different strategies: PriorityFuzzer, PingFuzzer, and HeaderFuzzer. So on the single TLS connection, we are sending a bunch of Priority/Ping/Header frames with garbage values. If at anytime the TLS connection goes does, the connection is restablished.
### Strategies
SettingsFuzzer:
- Picks a random number between 0-5
- Appends that many random settings with random values to a SettingsFrameHeaderFuzzer:
- Picks a random number between 0-5
- Appends that many random HTTP headers with random values to a HeadersFramePriorityFuzzer:
- Sends Priority frames with a random streamDependency, steamId, weight, and exclusive valuePingFuzzer:
- Sends a ping frame with a random 8 byte payloadResetFuzzer:
- Sends a RST Frame with a random streamId and errorCodeWindowUpdateFuzzer:
- Sends a Window Update Frame with a random streamId, and incr value.RawFrameFuzzer:
- Generates a random frameType (0-12), randomFlags (0-256), and streamId(2**31), and a random byte array of length 0-10000.
- Sends the invalid frameDataFuzzer:
- Sends a Data Frame with a random streamId, endStream bool, and random payload between 0-10000 bytesPushPromiseFuzzer:
- Sends a PushPromise Frame with a random payload of 0-10000 bytes, streamId, promiseId, endHeaders bool, and padlengnth (0-256)ContinuationFuzzer:
- Sends a Continuation Frame with a random streamId, endStream bool and payload of length 0-10000 bytes.RawTCPFuzzer:
- Establishes a TLS connection, and sends complete garbage to it. The payload is a byte array of length 0-10000.### Fuzzers
Each fuzzer is built from strategies. Currently the fuzzers are:
Fuzzer 1:
- RawFrameFuzzerFuzzer 2:
- PriorityFuzzer
- PingFuzzer
- HeaderFuzzerFuzzer 3:
- PriorityFuzzer
- PingFuzzer
- HeaderFuzzer
- WindowUpdateFuzzerFuzzer 4:
- PriorityFuzzer
- PingFuzzer
- HeaderFuzzer
- ResetFuzzerFuzzer 5:
- SettingsFuzzer
- HeaderFuzzerFuzzer 6:
- DataFuzzer
- HeaderFuzzerFuzzer 7:
- ContinuationFuzzer
- HeaderFuzzerFuzzer 8:
- PushPromiseFuzzer
- HeaderFuzzerFuzzer 9:
- RawTCPFuzzerFuzzer 10:
- RawTCPFuzzer (without clientpreface)## Code Layout
```
http2fuzz/
certs/ Holds localhost certifcates for fuzzing as an http2 server
docs/ Holds documents and pictures
fuzzer/ Holds the actual fuzzing code for client/server, along with an http2 connection wrapper class
replay/ Holds code for replaying packets from a json file
util/ Holds common utility functions
```fuzzer/connection.go conatins the Connection struct. This structure sits on top of the actual TLS/TCP connection. It defines a number of methods for sending HTTP2 frames on this connection. Also handles the HPACK encoding/decoding.
fuzzer/fuzzer.go contains all the fuzzing strategies.
## Replay Mode
The code recently got refactored and it hasen't been refactoed back in, and it only works with raw frames fuzzer, for testing with single frames, a script like this works:
```
package mainimport (
"io"
"net""github.com/bradfitz/http2"
"github.com/c0nrad/http2fuzz/util"
)func main() {
var Target = "localhost:80"conn := Dial(Target)
io.WriteString(conn, http2.ClientPreface)framer := http2.NewFramer(conn, conn)
// FrameType, Flag, StreamId, Payload
framer.WriteRawFrame(http2.FrameType(10), http2.Flags(16), 481004859, util.FromBase64("dZfden+U2nU/Y5uUsM3iz2XwAboFueI/xyR2"))
}func Dial(host string) net.Conn {
conn, err := net.Dial("tcp", host)
if err != nil {
panic(err)
}
return conn
}
```## Contact
## Copyright
Copyright 2015 Yahoo Inc. Licensed under the BSD license, see LICENSE file for terms. Written by Stuart Larsen