Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: allow boofuzz to fuzz intermediate messages #549

Open
678098 opened this issue Oct 26, 2021 · 2 comments
Open

Feature request: allow boofuzz to fuzz intermediate messages #549

678098 opened this issue Oct 26, 2021 · 2 comments
Labels
enhancement

Comments

@678098
Copy link
Contributor

678098 commented Oct 26, 2021

Here is the code which sends messages prior to fuzzed message:

boofuzz/boofuzz/sessions.py

Line 1731 in 373a5cb

for e in mutation_context.message_path[:-1]:

So boofuzz allows only fuzzing of the last message in chain.

For a graph like: [message1]->[message2]->[message3]
Fuzzing will look like this:
[message1 < fuzzing]
[message1]->[message2 < fuzzing]
[message1]->[message2]->[message3 < fuzzing]

It will be nice to have fuzzing like this with sending messages after fuzzed message:
[message1 < fuzzing]->[message2]->[message3]
[message1]->[message2 < fuzzing]->[message3]

The reason is that fuzzed intermediate message can still be correctly formed. But still It can have some incorrect fields which can alter inner state of fuzzed entity which can lead to a crash on a later messages.
@SR4ven
Copy link
Collaborator

SR4ven commented Nov 23, 2021

I get your point. Do you have a practical example where such behavior would be beneficial?

So far I've seen the previous messages as no more but preparations for the current node to be fuzzed. And I think that was the idea behind it when the feature was implemented.

I'd be fine if someone was to implement the changes you suggested. However, I think a feature toggle (as if we didn't already have more than enough of those :D) might be helpful as sending additional messages after the fuzzed node will take extra time and slow down the fuzzing. It might not be beneficial for every protocol.

What do you think @jtpereyda?

@678098
Copy link
Contributor Author

678098 commented Sep 25, 2023

Thanks @SR4ven , sorry for the late reply.

This feature might be beneficial if we want to fuzz some stateful service. Some initial request types for example might configure this service, next request types are used to do some work with it. So fuzzing of intermediate nodes allow to find combinations of unhandled cases when we have misconfiguration for these requests.

I might try to do it in my free time during weekends, but cannot promise anything yet. If the current class design doesn't easily extends to this use case, might be more safe to leave it as it is for now.

Let's close this issue until next updates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@678098 @SR4ven