Trying to write an HTTP fuzzer

[AshrafIbrahim03]

Wasnt't sure if there was a forum to post questions, so I figured I'd ask here. As the title says, I'm trying to write an HTTP fuzzer for practice, but right now I'm kind of stuck at how to link things together. I'm writing an HTTPFeedback that holds a set of HTTP codes, and the idea is that in its is_interesting function, it will see if the HTTP status code is in its set, and return a value based on that. The only problem is, how do I communicate the returned HTTP status code to the feedback? Would I do that through the ExitKind or state or something else?

Thanks if you're able to help out, and if this isn't the right place to ask, I'd be more than happy to repost my question somewhere else.

[domenukk]

I would say that just the http status code might not be enough feedback for some really useful fuzzing (albeit possible).
But in general, yes, a HTTPFeedback should be straight forward. Store previously seen codes in a custom Metadata, then check if the current code is new or not (i.e., use a set or a bloom filter).

Maybe also take a look at https://github.com/TNO-S3/WuppieFuzz for inspiration, it sounds very much related.

[AshrafIbrahim03]

Been working on this for the past few days and the approach I'm taking is rewriting the the GenericInProcessExecutor but adding the metadata to state in the run_target function. I also modified the harness to return an ExitKind and u16 tuple, to represent the http status code. Does this seem like the best approach to do this? I initially meant to just make a new feedback and didn't expect to make an executor.

[riesentoaster]

I'm currently writing a TCP/IP fuzzer for my master's thesis, where I'm using the TCP flags in the header of the returned packets as feedback. I'm using a custom Executor which takes the handle a custom Observer to store the data. That in turn is then used in Feedback(s). Take a look at the project repo maybe?

(Disclaimer: Still very much work in progress, should be done in a bit more than a month)

[domenukk]

BTW for the TCP/IP thing, you could do an async mutational stage that spawns a bunch of tasks and collects and evals the results later (right?)

[riesentoaster]

One could do that probably, yes. I cannot — no time left :D

Also: overcommit is a quick and dirty fix.

[AshrafIbrahim03]

@domenukk
With storing the http status codes in a custom metadata, are there any recommended ways to return the status codes? As far as I know, I can't add metadata into state from inside the harness and the harness only returns an exitkind, so it seems like there's no standard way to pass data from inside the harness to the outside. I tried rewriting GenericInProcessExecutor to have a harness that returns a tuple of (ExitKind, u16) instead of just an exitkind, but I figured there's probably a better way to do it.

I also asked on the WuppieFuzz repo about the same issue, i.e. how they pass data outside the harness, and they actually don't pass data out the harness but rather return ExitKind::Crash when there's an 5xx status code.

[riesentoaster]

If I may: Have you considered just writing a custom Executor instead of changing a lot of existing code? That's often surprisingly straightforward. You can then just pass it an observer to store your HTTP codes in, and you can then use that observer in any way you like in feedbacks.

[domenukk]

@domenukk With storing the http status codes in a custom metadata, are there any recommended ways to return the status codes? As far as I know, I can't add metadata into state from inside the harness and the harness only returns an exitkind, so it seems like there's no standard way to pass data from inside the harness to the outside. I tried rewriting GenericInProcessExecutor to have a harness that returns a tuple of (ExitKind, u16) instead of just an exitkind, but I figured there's probably a better way to do it.

I also asked on the WuppieFuzz repo about the same issue, i.e. how they pass data outside the harness, and they actually don't pass data out the harness but rather return ExitKind::Crash when there's an 5xx status code.

You can use a ValueObserver, set a value in a global variable (or similar),

LibAFL/libafl/src/observers/value.rs

Line 33 in c5b7c7c

impl<'a, T> ValueObserver<'a, T> {

Then you can use a custom Feedback to write to metadata (or observe the value directly if that's what you want)

[domenukk]

Maybe there's a cleaner, more rusty way, @addisoncrump may know

[AshrafIbrahim03]

@riesentoaster I didn't think about writing one from scratch honestly - I think I'lll also try that out, thanks!

[riesentoaster]

@riesentoaster I didn't think about writing one from scratch honestly - I think I'lll also try that out, thanks!

Check out the baby_fuzzer_custom_executor example, it may be a good starting point. And maybe the executor of my thesis project I linked above, although that is much more involved, but it shows how one can do custom oberservers/logging feedbacks.