All Projects → fuzzitdev → Javafuzz

fuzzitdev / Javafuzz

Licence: apache-2.0
coverage guided fuzz testing for java

Programming Languages

java
68154 projects - #9 most used programming language

Projects that are alternatives of or similar to Javafuzz

Honggfuzz Rs
Fuzz your Rust code with Google-developed Honggfuzz !
Stars: ✭ 222 (+15.03%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Sharpfuzz
AFL-based fuzz testing for .NET
Stars: ✭ 185 (-4.15%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Pythonfuzz
coverage guided fuzz testing for python
Stars: ✭ 175 (-9.33%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Jsfuzz
coverage guided fuzz testing for javascript
Stars: ✭ 532 (+175.65%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Aflplusplus
The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
Stars: ✭ 2,319 (+1101.55%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
fuzzuf
Fuzzing Unification Framework
Stars: ✭ 263 (+36.27%)
Mutual labels:  fuzzing, fuzz-testing, fuzzer
Ansvif
A Not So Very Intelligent Fuzzer: An advanced fuzzing framework designed to find vulnerabilities in C/C++ code.
Stars: ✭ 107 (-44.56%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Fuzzdicts
Web Pentesting Fuzz 字典,一个就够了。
Stars: ✭ 4,013 (+1979.27%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Syzkaller
syzkaller is an unsupervised coverage-guided kernel fuzzer
Stars: ✭ 3,841 (+1890.16%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Example Go
Go Fuzzit Example
Stars: ✭ 39 (-79.79%)
Mutual labels:  fuzzing, fuzzer, fuzz-testing
Libdiffuzz
Custom memory allocator that helps discover reads from uninitialized memory
Stars: ✭ 147 (-23.83%)
Mutual labels:  fuzzing, fuzz-testing
Afl Patches
Patches to afl to fix bugs or add enhancements
Stars: ✭ 76 (-60.62%)
Mutual labels:  fuzzing, fuzzer
Test Each
🤖 Repeat tests. Repeat tests. Repeat tests.
Stars: ✭ 89 (-53.89%)
Mutual labels:  fuzzing, fuzz-testing
Book
📖 Guides and tutorials on how to fuzz Rust code
Stars: ✭ 67 (-65.28%)
Mutual labels:  fuzzing, fuzz-testing
Awesome Directed Fuzzing
A curated list of awesome directed fuzzing research papers
Stars: ✭ 77 (-60.1%)
Mutual labels:  fuzzing, fuzz-testing
Burpsuite Collections
BurpSuite收集:包括不限于 Burp 文章、破解版、插件(非BApp Store)、汉化等相关教程,欢迎添砖加瓦---burpsuite-pro burpsuite-extender burpsuite cracked-version hackbar hacktools fuzzing fuzz-testing burp-plugin burp-extensions bapp-store brute-force-attacks brute-force-passwords waf sqlmap jar
Stars: ✭ 1,081 (+460.1%)
Mutual labels:  fuzzing, fuzz-testing
Afl.rs
🐇 Fuzzing Rust code with American Fuzzy Lop
Stars: ✭ 1,013 (+424.87%)
Mutual labels:  fuzzing, fuzz-testing
Crlf Injection Scanner
Command line tool for testing CRLF injection on a list of domains.
Stars: ✭ 91 (-52.85%)
Mutual labels:  fuzzing, fuzzer
Janus
Janus: a state-of-the-art file system fuzzer on Linux
Stars: ✭ 139 (-27.98%)
Mutual labels:  fuzzing, fuzzer
Clusterfuzz Tools
Bugs are inevitable. Suffering is optional.
Stars: ✭ 111 (-42.49%)
Mutual labels:  fuzzing, fuzzer

fuzzit.dev was acquired by GitLab and the new home for this repo is here

Javafuzz: coverage-guided fuzz testing for Java

Javafuzz is coverage-guided fuzzer for testing Java packages.

Fuzzing for safe languages like nodejs is a powerful strategy for finding bugs like unhandled exceptions, logic bugs, security bugs that arise from both logic bugs and Denial-of-Service caused by hangs and excessive memory usage.

Fuzzing can be seen as a powerful and efficient strategy in real-world software in addition to classic unit-tests.

Usage

Fuzz Target

The first step is to implement the following function (also called a fuzz target):

public class FuzzExample extends AbstractFuzzTarget {
    public void fuzz(byte[] data) {
        try {
            BufferedImage image = ImageIO.read(new ByteArrayInputStream(data));
        } catch (IOException e) {
            // ignore as we expect this exception
        }
    }
}

Features of the fuzz target:

  • Javafuzz will call the fuzz target in an infinite loop with random data (according to the coverage guided algorithm) passed to buf.
  • The function must catch and ignore any expected only (dont catch Exception) exceptions that arise when passing invalid input to the tested package.
  • The fuzz target must call the test function/library with with the passed buffer or a transformation on the test buffer if the structure is different or from different type.
  • Fuzz functions can also implement application level checks to catch application/logical bugs - For example: decode the buffer with the testable library, encode it again, and check that both results are equal. To communicate the results the result/bug the function should throw an exception.
  • Javafuzz will report any unhandled exceptions as crashes as well as inputs that hit the memory limit specified to javafuzz or hangs/they run more the the specified timeout limit per testcase.

Installing

Add this to your pom.xml

  <dependencies>
    <dependency>
      <groupId>dev.fuzzit.javafuzz</groupId>
      <artifactId>core</artifactId>
      <version>1.23-SNAPSHOT</version>
      <scope>test</scope>
    </dependency>
  </dependencies>

<plugin>
        <plugin>
          <groupId>dev.fuzzit.javafuzz</groupId>
          <artifactId>javafuzz-maven-plugin</artifactId>
          <version>1.22</version>
        </plugin>
</plugins>

Running

The next step is to javafuzz with your fuzz target function

docker run -it maven:3.6.2-jdk-11 /bin/bash
git clone https://github.com/fuzzitdev/javafuzz.git
cd javafuzz
mvn install
cd examples
wget -O jacocoagent.jar https://github.com/fuzzitdev/javafuzz/raw/master/javafuzz-maven-plugin/src/main/resources/jacocoagent-exp.jar
MAVEN_OPTS="-javaagent:jacocoagent.jar" mvn javafuzz:fuzz -DclassName=dev.fuzzit.javafuzz.examples.FuzzYaml
# Output:
#0 READ units: 0
#1 NEW     cov: 61 corp: 0 exec/s: 1 rss: 23.37 MB
#23320 PULSE     cov: 61 corp: 1 exec/s: 10614 rss: 35.3 MB
#96022 NEW     cov: 70 corp: 1 exec/s: 11320 rss: 129.95 MB
#96971 NEW     cov: 78 corp: 2 exec/s: 10784 rss: 129.95 MB
#97046 NEW     cov: 79 corp: 3 exec/s: 9375 rss: 129.95 MB
#97081 NEW     cov: 81 corp: 4 exec/s: 11666 rss: 129.95 MB
#97195 NEW     cov: 93 corp: 5 exec/s: 9500 rss: 129.95 MB
#97216 NEW     cov: 97 corp: 6 exec/s: 10500 rss: 129.95 MB
#97238 NEW     cov: 102 corp: 7 exec/s: 11000 rss: 129.95 MB
#97303 NEW     cov: 108 corp: 8 exec/s: 10833 rss: 129.96 MB
#97857 PULSE     cov: 108 corp: 9 exec/s: 225 rss: 129.96 MB
#97857 PULSE     cov: 108 corp: 9 exec/s: 0 rss: 940.97 MB
#97857 PULSE     cov: 108 corp: 9 exec/s: 0 rss: 1566.01 MB

This example quickly finds an infinite hang which takes all the memory in jpeg-js.

Corpus

Javafuzz will generate and test various inputs in an infinite loop. corpus is optional directory and will be used to save the generated testcases so later runs can be started from the same point and provided as seed corpus.

Javafuzz can also start with an empty directory (i.e no seed corpus) though some valid test-cases in the seed corpus may speed up the fuzzing substantially.

Javafuzz tries to mimic some of the arguments and output style from libFuzzer.

More fuzz targets examples (for real and popular libraries) are located under the examples directory and bugs that were found using those targets are listed in the trophies section.

Coverage

For coverage instrumentation we use JaCoCo library

Other languages

Currently this library also exists for the following languages:

Credits & Acknowledgments

Javafuzz is a port of fuzzitdev/jsfuzz.

Which in turn based based on go-fuzz originally developed by Dmitry Vyukov's. Which is in turn heavily based on Michal Zalewski AFL.

Another solid fuzzing with coverage library for java is JQF but is more focused on semantic fuzzing (i.e structure aware) and thus depends on quickcheck. JavaFuzz does not depends on any framework an focuses on mutations producing buffer array and using coverage to find more bugs.

Contributions

Contributions are welcome!:) There are still a lot of things to improve, and tests and features to add. We will slowly post those in the issues section. Before doing any major contribution please open an issue so we can discuss and help guide the process before any unnecessary work is done.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].