Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mseclab/PyJFuzz

PyJFuzz - Python JSON Fuzzer
https://github.com/mseclab/PyJFuzz

crash fuzzer fuzzing json json-api json-schema json-serialization process-crashes

Last synced: about 2 months ago
JSON representation

PyJFuzz - Python JSON Fuzzer

Awesome Lists containing this project

README 

        

[![LOGO](https://s30.postimg.org/iolw8xqn5/logo.png)](https://s30.postimg.org/iolw8xqn5/logo.png)

=======

**PyJFuzz** is a small, extensible and ready-to-use framework used to **fuzz JSON inputs**, such as mobile endpoint REST API, JSON implementation, Browsers, cli executable and much more.



    

        Version

        

           1.1.0

        

    

    

        Homepage

        http://www.mseclab.com/

    

        Github

        https://github.com/mseclab/PyJFuzz

     

    

       Author

       Daniele Linguaglossa (@dzonerzy)

    

    

        License

        MIT - (see LICENSE file)

    



Installation

============



**Dependencies**



In order to work PyJFuzz need some dependency, **bottle**,**netifaces**,**GitPython** and **gramfuzz**, you can install them from automatic **setup.py** installation.



**Installation**



You can install PyJFuzz with the following command

```{r, engine='bash', count_lines}

git clone https://github.com/mseclab/PyJFuzz.git && cd PyJFuzz && sudo python setup.py install

```



Documentation and Examples

==========================



**CLI tool**



Once installed PyJFuzz will create both a python library and a command-line utility called **pjf** (screenshot below)



[![MENU](https://s17.postimg.org/6gvbyvzpb/cmdline.png)](https://s17.postimg.org/6gvbyvzpb/cmdline.png)



[![PJF](https://s16.postimg.org/rdq1iwwvp/cmdline2.png)](https://s16.postimg.org/rdq1iwwvp/cmdline2.png)



**Library**



PyJFuzz could also work as a library, you can import in your project like following



```python

from pyjfuzz.lib import *

```

**Classes**



The available object/class are the following:



- ***PJFServer*** - User to start and stop built-in HTTP and HTTPS servers

- ***PJFProcessMonitor*** - Used to monitor process crash, it will automatically restart proccess each time it crash

- ***PJFTestcaseServer*** - The testcase server is used in conjunction with PJFProcessMonitor, whenever a process crash the testcase server will register and store the JSON which cause the crash

- ***PJFFactory*** - It's the main object used to do the real fuzz of JSON objects

- ***PJFConfiguration*** - It's the configuration file for each of the available objects

- ***PJFExternalFuzzer*** - Used by PJFactory is a auxiliary class which provide an interface to other command line fuzzer such as *radamsa*

- ***PJFMutation*** - Used by PJFFactory provide all the mutation used during fuzzing session

- ***PJFExecutor*** - Provides an interface to interact with external process



[![CLASSES](https://s4.postimg.org/7picu4y3h/lib.png)](https://s4.postimg.org/7picu4y3h/lib.png)



**Examples**



Below some trivial example of how-to implement PyJFuzz powered program



*simple_fuzzer.py*

```python

from argparse import Namespace

from pyjfuzz.lib import *



config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6))

fuzzer = PJFFactory(config)

while True:

    print fuzzer.fuzzed

```



*custom_techniques.py*

```python

from argparse import Namespace

from pyjfuzz.lib import *



# Techniques may be defined by group , or by technique number

# groups are CHTPRSX , to understand what they are , please run pyjfuzz with -h switch or look at the command line screenshot

# This below will initalizate a config object which use only the P group attacks where P stay for Path Traversal

config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, techniques="P"))

# once a config object is defined you can access to config.techniques to view the selected techniques for your group

print("Techniques IDs: {0}".format(str(config.techniques)))

# you can eventually modify them!

config.techniques = [2]

# This way only attack number 2 (LFI Attack) will be performed!

fuzzer = PJFFactory(config)

while True:

    print fuzzer.fuzzed

```



*simple_server.py*

```python

from argparse import Namespace

from pyjfuzz.lib import *



config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, debug=True, indent=True))

PJFServer(config).run()



```



Sometimes you may need to modify standard non customizable settings such as HTTPS or HTTP server port, this can be done in the following way



``` python

from argparse import Namespace

from pyjfuzz.lib import *



config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, indent=True))

print config.ports["servers"]["HTTP_PORT"]   # 8080

print config.ports["servers"]["HTTPS_PORT"]  # 8443

print config.ports["servers"]["TCASE_PORT"]  # 8888

config.ports["servers"]["HTTPS_PORT"] = 443  # Change HTTPS port to 443

```

**Remember**: *When changing default ports, you should always handle exception due to needed privileges!*



Below a comprehensive list of all available settings / customization of PJFConfiguration object:



**Configuration table**



  

    Name

    Type

    Description

  

  

    json

    dict

    JSON object to fuzz

  

  

    json_file

    str

    Path to a JSON file

  

  

    parameters

    list<str>

    List of parameters to fuzz (taken from JSON object)

  

  

    techniques

    str<int>

    String of enable attacks, used to generate fuzzed JSON, such as XSS, LFI etc. ie "CHPTRSX" (Look techniques table)

  

  

    level

    int

    Fuzzing level in the range 0-6

  

  

    utf8

    bool

    If true switch from unicode encode to pure byte representation

  

 

    indent

    bool

    Set whenever to indent the result object

  

  

    url_encode

    bool

    Set whenever to URLEncode the result object

  

  

    strong_fuzz

    bool

    Set whenever to use strong fuzzing (strong fuzzing will not maintain JSON structure, usefull for parser fuzzing)

  

  

    debug

    bool

    Set whenever to enable debug prints

  

  

    exclude

    bool

    Exclude from fuzzing parameters selected by parameters option

  

  

    notify

    bool

    Set whenever to notify process monitor when a crash occurs only used with PJFServer

  

  

    html

    str

    Path to an HTML directory to serve within PJFServer

  

  

    ext_fuzz

    bool

    Set whenever to use binary from "command" as an externale fuzzer

  

    

    cmd_fuzz

    bool

    Set whenever to use binary from "command" as fuzzer target

  

    

    content_type

    str

    Set the content type result of PJFServer (default application/json)

  

  

    command

    list<str>

    Command to execute each paramester is a list element, you could use shlex.split from python

  



**Techniques table**



  

    Index

    Description

  

  

    0

    XSS injection (Polyglot)

  

  

    1

    SQL injection (Polyglot)

  

  

    2

    LFI attack

  

  

    3

    SQL injection polyglot (2)

  

  

    4

    XSS injection (Polyglot) (2)

  

  

    5

    RCE injection (Polyglot)

  

  

    6

    LFI attack (2)

  

  

    7

    Data URI attack

  

  

    8

    LFI and HREF attack

  

  

    9

    Header injection

  

  

    10

    RCE injection (Polyglot) (2)

  

  

    11

    Generic templace injection

  

  

    12

    Flask template injection

  

  

    13

    Random character attack

  



Screenshots

===========



Below some screenshot just to let you know what you should expect from PyJFuzz



[![CLI](https://s18.postimg.org/qu5j9pw09/ext_fuzz.png)](https://s18.postimg.org/qu5j9pw09/ext_fuzz.png)



[![CLI2](https://s11.postimg.org/qtgi9dro3/filefuzz.png)](https://s11.postimg.org/qtgi9dro3/filefuzz.png)



[![CLI3](https://s15.postimg.org/7jn4ktkcb/processm.png)](https://s15.postimg.org/7jn4ktkcb/processm.png)



Built-in tool

===========

PyJFuzz is shipped with a built-in tool called **PyJFuzz Web Fuzzer**, this tool will provide an automatic fuzzing console via HTTP and HTTPS server, it can be used to easly fuzz almost any web browser even when you can't control the process state!



There are two switch used to launch this tool (--browser-auto and --fuzz-web), the first one perform automatic browser restart when a crash occur, the other one try to catch when a browser doesn't make requests anymore. Both of them always save the testcases, below some screenshots.



[![FUZZ](https://s18.postimg.org/ulahts5bt/fuzzweb.png)](https://s18.postimg.org/ulahts5bt/fuzzweb.png)



[![FUZZ2](https://s17.postimg.org/74s3qidrj/fuzzweb2.png)](https://s17.postimg.org/74s3qidrj/fuzzweb2.png)



[![BROWSERAUTO](https://s18.postimg.org/j0t67tabt/auto.png)](https://s18.postimg.org/j0t67tabt/auto.png)



[![BROWSERAUTO2](https://s15.postimg.org/qj2o5it2z/auto2.png)](https://s15.postimg.org/qj2o5it2z/auto2.png)

Issue

=====



Please send any issue here via GitHub I'll provide a fix as soon as possible.



Result

======

*Below a list of know issue found by PyJFuzz, the list will be updated weekly*



- Double free in cJSON (https://github.com/DaveGamble/cJSON/issues/105)

- Unhandled exception in picojson (https://github.com/kazuho/picojson/issues/94)

- Memory leak in simpleJSON (https://github.com/nbsdx/SimpleJSON/issues/8)

- Stack base buffer overflow in frozen (https://github.com/cesanta/frozen/issues/14)

- Memory corruption with custom EIP (https://github.com/cesanta/frozen/issues/15)



End

===



Thanks for using PyJFuzz!



***Happy Fuzzing*** from mseclab