Fuzzing Command Line Utilities Following up from one of my previous article, I will be fuzzing CLI params using JAFFY fuzzer and try to smash the stack on a vulnerable program. Jaffy can fuzz binaries that you run on the command line. It takes a simple XML as input to specify the arguments details and you are ready to go. In order to run jaffy you need to install this python3 module:
Command Line Interface Security Testing CLIs (Command Line Interface/Utility) offer a lot of commands to make system information easily available & manageable. Many of these commands offer various arguments (functionalities). These command line utilities and their arguments should be programmed in such a way that they should not be vulnerable or contain any logical flaw that can allow malicious user of CLI to escalate privilege, access unauthorized info, bypass ACL etc.
Mutation Fuzzers (AKA Dumb Fuzzers 😉) Mutation Fuzzers are all about mutating the existing input values (blindly). That’s why it is known as “dumb” fuzzers, as it lacks understanding of the complete format/structure of the data. One example of data mutation can be just replacing/appending a random section of data. Some methods used by mutation fuzzers to generate the data are: Bit flipping Random postfix Random prefix encoding disruption We will be looking at one of the mutation based fuzzer written in NodeJS today.