boofuzz icon indicating copy to clipboard operation
boofuzz copied to clipboard
verified publisher icon jtpereyda

Feature request: allow boofuzz to fuzz intermediate messages

Open 678098 opened this issue 4 years ago • 2 comments

Here is the code which sends messages prior to fuzzed message: https://github.com/jtpereyda/boofuzz/blob/373a5cb071f68b5076b098472db31de841c87389/boofuzz/sessions.py#L1731

So boofuzz allows only fuzzing of the last message in chain.

For a graph like: [message1]->[message2]->[message3] Fuzzing will look like this: [message1 < fuzzing] [message1]->[message2 < fuzzing] [message1]->[message2]->[message3 < fuzzing]

It will be nice to have fuzzing like this with sending messages after fuzzed message: [message1 < fuzzing]->[message2]->[message3] [message1]->[message2 < fuzzing]->[message3]

The reason is that fuzzed intermediate message can still be correctly formed. But still It can have some incorrect fields which can alter inner state of fuzzed entity which can lead to a crash on a later messages.

678098 avatar Oct 26 '21 00:10 678098

I get your point. Do you have a practical example where such behavior would be beneficial?

So far I've seen the previous messages as no more but preparations for the current node to be fuzzed. And I think that was the idea behind it when the feature was implemented.

I'd be fine if someone was to implement the changes you suggested. However, I think a feature toggle (as if we didn't already have more than enough of those :D) might be helpful as sending additional messages after the fuzzed node will take extra time and slow down the fuzzing. It might not be beneficial for every protocol.

What do you think @jtpereyda?

SR4ven avatar Nov 23 '21 22:11 SR4ven

Thanks @SR4ven , sorry for the late reply.

This feature might be beneficial if we want to fuzz some stateful service. Some initial request types for example might configure this service, next request types are used to do some work with it. So fuzzing of intermediate nodes allow to find combinations of unhandled cases when we have misconfiguration for these requests.

I might try to do it in my free time during weekends, but cannot promise anything yet. If the current class design doesn't easily extends to this use case, might be more safe to leave it as it is for now.

Let's close this issue until next updates

678098 avatar Sep 25 '23 11:09 678098