asielb / fuzzops Goto Github PK

What steps will reproduce the problem?
1. Run FuzzOps lots of times

Results:
Occasionally you see the output below repeated indefinitely:
http://10.109.43.239:8080/stack-pet-store-ui/pet?petName=�&classificationIds=8
&classificationIds=2&classificationIds=1&classificationIds=7&resultsPerPage=5&or
derBy=name&sortOrder=ASCENDING

Currently users are having a hard time getting everything compiled and set up 
properly to start making changes to the code base.

We should start using maven so that dependencies will be easier to manage and 
builds will work consistently.

Theoretically it would be possible to overrun the server with Fuzz Requests. In 
the event that long term fuzzing is requested, it may be necessary to limit how 
many instances should be ran.

It would be valuable to be able to save the fuzz request configurations for 
future use and retesting.

This because increasingly valuable as request configuration will increase in 
complexity.

As fuzzing complexity is increase, it would be nice to select which types of 
fuzzing modules should be used. 

ex:
run the dictionary module, but not the basic fuzzing module.

GET requests may not be enumerated correctly in Applications due to methods 
used to create test cases. If an application uses POST it will modularize the 
request and its parameters. If GET is used, it would not know how to handle 
this.

What steps will reproduce the problem?
1. Start WebFuzzNonApplet.jar
2. Look at default Help tab

What is the expected output? What do you see instead?
Should not see any email address with lds reference. Jar file needs to be 
rebuilt and updated.

We should figure out how we will plan to use fuzzops in a non-gui fashion.

This includes several questions.

How will it integrate with tools like maven?
How will it work from within an IDE like eclipse?
How can we allow running it from a command line for other languages and tools? 
This would probably involve using a config file to specify options.

What steps will reproduce the problem?
1. Complete a fuzzops
2. Click request File


Result:
java.io.FileNotFoundException: C:\Users\batemansw\Documents\fuzzops\---- (The 
system cannot find the file specified)
    at java.io.FileInputStream.open(Native Method)
    at java.io.FileInputStream.<init>(FileInputStream.java:106)
    at com.google.code.fuzzops.webfuzzer.commands.RequestCommand.execute(RequestCommand.java:32)
    at com.google.code.fuzzops.webfuzzer.controller.FuzzApplicationController.handleRequest(FuzzApplicationController.java:33)
    at com.google.code.fuzzops.webfuzzer.controller.FuzzControllerThread.run(FuzzControllerThread.java:92)
    at java.lang.Thread.run(Thread.java:619)

cleanup svn empty directories, class files, and jar files. 

Jar files and other binary files that people may want to use should be added to 
the downloads page.

What steps will reproduce the problem?
1. Run fuzzops against the stack petstore

Results:
The crawler runs. The fuzzer errors out with index out of bounds exception. 

- CrawlerExecutor terminated
- Closing the browser...
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
    at java.util.ArrayList.RangeCheck(ArrayList.java:547)
    at java.util.ArrayList.get(ArrayList.java:322)
    at com.google.code.fuzzops.webfuzzer.controller.FuzzEngine.fuzz(FuzzEngine.java:106)
    at com.google.code.fuzzops.webfuzzer.crawler.CrawlerThread.initFuzzer(CrawlerThread.java:135)
    at com.google.code.fuzzops.webfuzzer.crawler.CrawlerThread.configCrawler(CrawlerThread.java:124)
    at com.google.code.fuzzops.webfuzzer.crawler.CrawlerThread.run(CrawlerThread.java:57)
    at java.lang.Thread.run(Thread.java:619)

.....

- Total Crawling time(50711ms) ~= 0 min, 51 sec
- EXAMINED ELEMENTS: 170
- CLICKABLES: 10
- STATES: 8

Utilize a SQL database to store results rather than in files.

Suggestion is to store groups of ResultBeans into BLOBs which can be requested 
sequentially by the UI.

The Crawljax engine will go beyond the scope of the application unless it is 
explicitly limited.

Propose implementing a whitelist based on root domain of the target. 

Perhaps log those domains skipped.

Changes need to be made in the CrawlerThread.java to implement this.

What steps will reproduce the problem?
1. Run the server, input non-default port (8484)
2. Run the client, change the port to 8484
3. Start a fuzz

You get a non-descriptive IO error. The client did not try to use port 8484.

Certain characters cause issues when fuzzing SOAP. These characters need to be 
checked in the fuzzing process to be scrubbed in order to avoid issues when 
sending requests. 

These include, but are not limited to: >, ?, and <

What steps will reproduce the problem?
1. Load up fuzzops and point it to our petstore
2. Fuzz the petstore and view the logs


What do you see instead?
- Executing click on element: "Name" A: class="order-asc" 
href="/stack-pet-store-ui/pet?petName=&firstResult=0&orderBy=name&sortOrder=DESC
ENDING&resultsPerPage=5" title="Sort by "Name"" click xpath 
/HTML[1]/BODY[1]/DIV[3]/DIV[1]/DIV[1]/DIV[2]/TABLE[1]/THEAD[1]/TR[1]/TH[2]/A[1];
 State: state2
- Dom is Changed!
- Correcting state name from  state5 to state4
- State state4 added to the StateMachine.
- StateMachine's Pointer changed to: state4
- StateMachine's Pointer changed to: state4 FROM state2
- Running OnNewStatePlugins...
- Crawl failed!
java.lang.ArrayIndexOutOfBoundsException: 1
    at com.google.code.fuzzops.webfuzzer.crawler.ModularUrlParameter.<init>(ModularUrlParameter.java:11)
    at com.google.code.fuzzops.webfuzzer.crawler.ModularUrl.<init>(ModularUrl.java:19)
    at com.google.code.fuzzops.webfuzzer.crawler.GenerateRequestsPlugin.prepareUrl(GenerateRequestsPlugin.java:34)
    at com.google.code.fuzzops.webfuzzer.crawler.GenerateRequestsPlugin.onNewState(GenerateRequestsPlugin.java:24)
    at com.crawljax.core.plugin.CrawljaxPluginsUtil.runOnNewStatePlugins(CrawljaxPluginsUtil.java:124)
    at com.crawljax.core.state.StateMachine.update(StateMachine.java:196)
    at com.crawljax.core.Crawler.clickTag(Crawler.java:356)
    at com.crawljax.core.Crawler.crawl(Crawler.java:445)
    at com.crawljax.core.Crawler.run(Crawler.java:610)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:619)
- Finished executing

What steps will reproduce the problem?
1. Put the wrong port in the client
2. Request a fuzz
3.

What is the expected output? What do you see instead?
There is no real output expect in the IDE, and it only says "IOError"

The ability to replay certain errors to ensure that specific error causing 
conditions have been fixed in new builds of target applications.

Need a quick mode of cycling through errors without having to cut&past results 
from table into the browser.

Possible plugin, screen shots, turning url into active link, etc

Need to add REST enumeration to allow fuzzing of REST services.

What steps will reproduce the problem?
1. Fire up the server
2. Set the output directory to a folder that doesn't exist
3. Start a fuzzing session.

What is the expected output? 
Directory is created or you are given a chance to change the output dir.

What do you see instead?
It fails silently.

When fuzzing SOAP requests, the monitor is showing that only the first 
character of the fuzz data is actually being inserted.

Certain results will cause errors in the .csv file when downloading fuzz 
results.

Most likely generated by new line/carriage return data from the fuzz generator. 

Certain people are having issues fuzzing SOAP. The fuzzer seems to get stuck on 
retrieving the WSDL. May be an issue with accepting certificates, etc.

Create a fuzzing module that would allow the tester to upload or use 
pre-uploaded attack dictionaries to test against their targets.