sorrow
v2.0.10
Published
Type-Based mutational fuzzing in js. Because even Joi requires balance.
Downloads
7
Readme
What is it?
Sorrow is Joi's evil twin. It exists to create malicious payloads based on Joi validator schemas that will pass said validators.
Getting Started:
npm i sorrow
On the Server:
var sorrow = require('./sorrow.js');
In the browser:
<script src='/sorrow.1.0.3.min.js'>
Overview:
Sorrow has two primary components: A generational "dumb" fuzzer, and the mutational "smart" fuzzer Surku.
The generational fuzzer generates seed data based on data types, which is then run through the mutational fuzzer to help compensate for some of the limitations of fuzzing with a set of static strings. It creates a starting point for machine learning, to reduce some of the time and complexity that would be required to end up generating the same data via a purely mutational approach.
Each type gets it's own seperate mutator instance, which over time allows it to recognize patterns from each type and create more consistent and "smart" payloads. The more iterations that are run, the more accurate it becomes.
Sorrow is highly extendable, and I hope that you contribute to the project by doing just that. You can extend the generational fuzzer by adding additional payload strings to the configuration objects in vectors.js. If there is a missing target context, it's pretty easy to add an additional one: you define an array of strings and a name - very simple.
API
Sync "shorthand" API:
payload = sorrow[type]
Async/Sync API:
payload = sorrow.async[type]([seedVal],function(payload){
// If given a callback function, the return value will be the return value of the callback.
// Both the callback and return pattern give the same results.
})
Where 'type' is one of:
- string
- number
- date
- binary
- object
- boolean
- array
- any
The async API functions aren't purely asynchronous, as sorrow is performing a huge amount of computations internally and therefore can easily block the event loop. Even so, it does offer a decent performance increase. The async API also has the ability to perform purely mutational fuzzing, rather than relying on a builtin set of attack vectors. To use the module in this way, call sorrow like this:
payload = sorrow.async.string('asdf');
//or...
sorrow.async.string('asdf',function(payload){
socket.emit(payload) // or whatever you want to do with it.
})
//or, to use the generators with the async methods...
sorrow.async.string(null, function(payload){
socket.emit(payload) // or whatever you want to do with it.
})
sorrow.string
var payload = sorrow.string
Returns a string with a malicious payload targeting various systems. Useful when testing for injection vulnerabilities. Included target contexts are:
- HTML
- Javascript ( Server/Client Side )
- SQL ( MySQL, Oracle, Postgres )
- OS command injection (bash, powershell, etc)
- Buffer Overflows
- Format Strings
- Integer overflows
Extending sorrow.string
If you have additional payloads, add them in /lib/vectors.js. The format is dead simple:
{"identifier":"SQL",
"payloads": [
'some',
'payloads'
], customGenerator: function(vector){
return vector.toUpperCase();
}
}
Strings are not mutated by default.
sorrow.number:
var payload = sorrow.number
Returns a random number via a Linear Congruental Generator ( LCG ) algorithm. Numbers are run through the mutational fuzzer before being returned.
sorrow.boolean:
var payload = sorrow.boolean
Returns true, false, 1, or 0.
sorrow.date
var payload = sorrow.date
Returns a random date generated by something to the effect of:
var random = lcg()
var timeRightNow = new Date().getTime();
while(random > timeRightNow * 1.2){
random = random * Math.random();
}
return new Date(Math.random() * timeRightNow - random)
Dates are run through the mutational fuzzer before being returned.
sorrow.binary
var payload = sorrow.binary
returns a randomly sized chunk of junk bytes found in unallocated memory, run through the mutator. It is good to mention that sorrow.binary does pull memory from your computer - if you are concerned about leaking sensitive data in memory, the seed can be modified to use crypto.randomBytes instead, or to read a binary in from the filesystem.
sorrow.object
var payload = sorrow.object
returns a completely randomized object - size is random, property names are pulled from a wordlist, and the values of the properties are random sorrow components. Can and does recurse, limit set to 3. Very memory/CPU intensive.
sorrow.array
var payload = sorrow.array
Similar to sorrow.object, but an array instead.
Changelog:
3/21/15: v1.0.4 - Updated package.json with github issues url.