npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

sorrow

v2.0.10

Published

Type-Based mutational fuzzing in js. Because even Joi requires balance.

Downloads

7

Readme

What is it?

Sorrow is Joi's evil twin. It exists to create malicious payloads based on Joi validator schemas that will pass said validators.

Getting Started:

npm i sorrow

On the Server:

var sorrow = require('./sorrow.js');

In the browser:

<script src='/sorrow.1.0.3.min.js'>

Overview:

Sorrow has two primary components: A generational "dumb" fuzzer, and the mutational "smart" fuzzer Surku.

The generational fuzzer generates seed data based on data types, which is then run through the mutational fuzzer to help compensate for some of the limitations of fuzzing with a set of static strings. It creates a starting point for machine learning, to reduce some of the time and complexity that would be required to end up generating the same data via a purely mutational approach.

Each type gets it's own seperate mutator instance, which over time allows it to recognize patterns from each type and create more consistent and "smart" payloads. The more iterations that are run, the more accurate it becomes.

Sorrow is highly extendable, and I hope that you contribute to the project by doing just that. You can extend the generational fuzzer by adding additional payload strings to the configuration objects in vectors.js. If there is a missing target context, it's pretty easy to add an additional one: you define an array of strings and a name - very simple.

API

Sync "shorthand" API:

payload = sorrow[type]

Async/Sync API:

payload = sorrow.async[type]([seedVal],function(payload){
// If given a callback function, the return value will be the return value of the callback.
// Both the callback and return pattern give the same results.
})

Where 'type' is one of:

  • string
  • number
  • date
  • binary
  • object
  • boolean
  • array
  • any

The async API functions aren't purely asynchronous, as sorrow is performing a huge amount of computations internally and therefore can easily block the event loop. Even so, it does offer a decent performance increase. The async API also has the ability to perform purely mutational fuzzing, rather than relying on a builtin set of attack vectors. To use the module in this way, call sorrow like this:

	payload = sorrow.async.string('asdf');
	//or...
	sorrow.async.string('asdf',function(payload){
		socket.emit(payload) // or whatever you want to do with it.
	})
	//or, to use the generators with the async methods...
	sorrow.async.string(null, function(payload){
		socket.emit(payload) // or whatever you want to do with it.
	})

sorrow.string

var payload = sorrow.string

Returns a string with a malicious payload targeting various systems. Useful when testing for injection vulnerabilities. Included target contexts are:

  • HTML
  • Javascript ( Server/Client Side )
  • SQL ( MySQL, Oracle, Postgres )
  • OS command injection (bash, powershell, etc)
  • Buffer Overflows
  • Format Strings
  • Integer overflows

Extending sorrow.string

If you have additional payloads, add them in /lib/vectors.js. The format is dead simple:

{"identifier":"SQL",
 "payloads": [
 	'some',
 	'payloads'
 ], customGenerator: function(vector){
 		return vector.toUpperCase();
 }
}

Strings are not mutated by default.


sorrow.number:

var payload = sorrow.number

Returns a random number via a Linear Congruental Generator ( LCG ) algorithm. Numbers are run through the mutational fuzzer before being returned.


sorrow.boolean:

var payload = sorrow.boolean

Returns true, false, 1, or 0.


sorrow.date

var payload = sorrow.date

Returns a random date generated by something to the effect of:

var random = lcg()
var timeRightNow = new Date().getTime();
while(random > timeRightNow * 1.2){
	random = random * Math.random();
}
return new Date(Math.random() * timeRightNow - random)

Dates are run through the mutational fuzzer before being returned.


sorrow.binary

var payload = sorrow.binary

returns a randomly sized chunk of junk bytes found in unallocated memory, run through the mutator. It is good to mention that sorrow.binary does pull memory from your computer - if you are concerned about leaking sensitive data in memory, the seed can be modified to use crypto.randomBytes instead, or to read a binary in from the filesystem.

sorrow.object

var payload = sorrow.object

returns a completely randomized object - size is random, property names are pulled from a wordlist, and the values of the properties are random sorrow components. Can and does recurse, limit set to 3. Very memory/CPU intensive.


sorrow.array

var payload = sorrow.array

Similar to sorrow.object, but an array instead.


Changelog:

3/21/15: v1.0.4 - Updated package.json with github issues url.