PyJFuzz is a small, extensible and ready-to-use framework used to fuzz JSON inputs, such as mobile endpoint REST API, JSON implementation, Browsers, cli executable and much more.
This fork of PyJFuzz was made python3 compatible with minimal effort
Changes
- 2to3 for (basic) python3 support
- Disabled pjf.log file ..
You can install PyJFuzz with the following command
sudo -EH pip3 install gramfuzz bottle netifaces gitpython
git clone https://github.com/0xricksanchez/PyJFuzz.git && cd PyJFuzz && sudo -EH python3 setup.py install
Classes
The available object/class are the following:
- PJFServer - User to start and stop built-in HTTP and HTTPS servers
- PJFProcessMonitor - Used to monitor process crash, it will automatically restart proccess each time it crash
- PJFTestcaseServer - The testcase server is used in conjunction with PJFProcessMonitor, whenever a process crash the testcase server will register and store the JSON which cause the crash
- PJFFactory - It's the main object used to do the real fuzz of JSON objects
- PJFConfiguration - It's the configuration file for each of the available objects
- PJFExternalFuzzer - Used by PJFactory is a auxiliary class which provide an interface to other command line fuzzer such as radamsa
- PJFMutation - Used by PJFFactory provide all the mutation used during fuzzing session
- PJFExecutor - Provides an interface to interact with external process
Examples
# simple_fuzzer
from pyjfuzz.core.pjf_configuration import PJFConfiguration
from pyjfuzz.core.pjf_factory import PJFFactory
from argparse import Namespace
config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, techniques="P"))
# once a config object is defined you can access to config.techniques to view the selected techniques for your group
# print("Techniques IDs: {0}".format(str(config.techniques)))
# you can eventually modify them!
# config.techniques = [2]
# This way only attack number 2 (LFI Attack) will be performed!
fuzzer = PJFFactory(config)
while True:
print(fuzzer.fuzzed)
Configuration table
Name | Type | Description |
---|---|---|
json | dict | JSON object to fuzz |
json_file | str | Path to a JSON file |
parameters | list<str> | List of parameters to fuzz (taken from JSON object) |
techniques | str<int> | String of enable attacks, used to generate fuzzed JSON, such as XSS, LFI etc. ie "CHPTRSX" (Look techniques table) |
level | int | Fuzzing level in the range 0-6 |
utf8 | bool | If true switch from unicode encode to pure byte representation |
indent | bool | Set whenever to indent the result object |
url_encode | bool | Set whenever to URLEncode the result object |
strong_fuzz | bool | Set whenever to use strong fuzzing (strong fuzzing will not maintain JSON structure, usefull for parser fuzzing) |
debug | bool | Set whenever to enable debug prints |
exclude | bool | Exclude from fuzzing parameters selected by parameters option |
notify | bool | Set whenever to notify process monitor when a crash occurs only used with PJFServer |
html | str | Path to an HTML directory to serve within PJFServer |
ext_fuzz | bool | Set whenever to use binary from "command" as an externale fuzzer |
cmd_fuzz | bool | Set whenever to use binary from "command" as fuzzer target |
content_type | str | Set the content type result of PJFServer (default application/json) |
command | list<str> | Command to execute each paramester is a list element, you could use shlex.split from python |
Techniques table
Index | Description |
---|---|
0 | XSS injection (Polyglot) |
1 | SQL injection (Polyglot) |
2 | LFI attack |
3 | SQL injection polyglot (2) |
4 | XSS injection (Polyglot) (2) |
5 | RCE injection (Polyglot) |
6 | LFI attack (2) |
7 | Data URI attack |
8 | LFI and HREF attack |
9 | Header injection |
10 | RCE injection (Polyglot) (2) |
11 | Generic templace injection |
12 | Flask template injection |
13 | Random character attack |
techniques = {
"C": [10, 5, 13],
"H": [9],
"P": [6, 2, 8],
"T": [11, 12],
"R": [14],
"S": [3, 1],
"X": [0, 4, 7]
}
Please send any issue here via GitHub I'll provide a fix as soon as possible.
Below a list of know issue found by PyJFuzz, the list will be updated weekly
- Double free in cJSON (DaveGamble/cJSON#105)
- Unhandled exception in picojson (kazuho/picojson#94)
- Memory leak in simpleJSON (nbsdx/SimpleJSON#8)
- Stack base buffer overflow in frozen (cesanta/frozen#14)
- Memory corruption with custom EIP (cesanta/frozen#15)