Skip to content

A fuzzing library that allows creating malicious payloads based on Joi validator schemas.

License

Notifications You must be signed in to change notification settings

jlamendo/sorrow

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

What is it?

Sorrow is Joi's evil twin. It exists to create malicious payloads based on Joi validator schemas that will pass said validators.

Getting Started:

npm i sorrow

On the Server:

var sorrow = require('./sorrow.js');

In the browser:

<script src='/sorrow.1.0.3.min.js'>

Overview:

Sorrow has two primary components: A generational "dumb" fuzzer, and the mutational "smart" fuzzer Surku.

The generational fuzzer generates seed data based on data types, which is then run through the mutational fuzzer to help compensate for some of the limitations of fuzzing with a set of static strings. It creates a starting point for machine learning, to reduce some of the time and complexity that would be required to end up generating the same data via a purely mutational approach.

Each type gets it's own seperate mutator instance, which over time allows it to recognize patterns from each type and create more consistent and "smart" payloads. The more iterations that are run, the more accurate it becomes.

Sorrow is highly extendable, and I hope that you contribute to the project by doing just that. You can extend the generational fuzzer by adding additional payload strings to the configuration objects in vectors.js. If there is a missing target context, it's pretty easy to add an additional one: you define an array of strings and a name - very simple.

API

Sync "shorthand" API:

payload = sorrow[type]

Async/Sync API:

payload = sorrow.async[type]([seedVal],function(payload){
// If given a callback function, the return value will be the return value of the callback.
// Both the callback and return pattern give the same results.
})

Where 'type' is one of:

  • string
  • number
  • date
  • binary
  • object
  • boolean
  • array
  • any

The async API functions aren't purely asynchronous, as sorrow is performing a huge amount of computations internally and therefore can easily block the event loop. Even so, it does offer a decent performance increase. The async API also has the ability to perform purely mutational fuzzing, rather than relying on a builtin set of attack vectors. To use the module in this way, call sorrow like this:

	payload = sorrow.async.string('asdf');
	//or...
	sorrow.async.string('asdf',function(payload){
		socket.emit(payload) // or whatever you want to do with it.
	})
	//or, to use the generators with the async methods...
	sorrow.async.string(null, function(payload){
		socket.emit(payload) // or whatever you want to do with it.
	})


sorrow.string

var payload = sorrow.string

Returns a string with a malicious payload targeting various systems. Useful when testing for injection vulnerabilities. Included target contexts are:

  • HTML
  • Javascript ( Server/Client Side )
  • SQL ( MySQL, Oracle, Postgres )
  • OS command injection (bash, powershell, etc)
  • Buffer Overflows
  • Format Strings
  • Integer overflows

Extending sorrow.string

If you have additional payloads, add them in /lib/vectors.js. The format is dead simple:

{"identifier":"SQL",
 "payloads": [
 	'some',
 	'payloads'
 ], customGenerator: function(vector){
 		return vector.toUpperCase();
 }
}

Strings are not mutated by default.


sorrow.number:

var payload = sorrow.number

Returns a random number via a Linear Congruental Generator ( LCG ) algorithm. Numbers are run through the mutational fuzzer before being returned.


sorrow.boolean:

var payload = sorrow.boolean

Returns true, false, 1, or 0.


sorrow.date

var payload = sorrow.date

Returns a random date generated by something to the effect of:

var random = lcg()
var timeRightNow = new Date().getTime();
while(random > timeRightNow * 1.2){
	random = random * Math.random();
}
return new Date(Math.random() * timeRightNow - random)

Dates are run through the mutational fuzzer before being returned.


sorrow.binary

var payload = sorrow.binary

returns a randomly sized chunk of junk bytes found in unallocated memory, run through the mutator. It is good to mention that sorrow.binary does pull memory from your computer - if you are concerned about leaking sensitive data in memory, the seed can be modified to use crypto.randomBytes instead, or to read a binary in from the filesystem.

sorrow.object

var payload = sorrow.object

returns a completely randomized object - size is random, property names are pulled from a wordlist, and the values of the properties are random sorrow components. Can and does recurse, limit set to 3. Very memory/CPU intensive.


sorrow.array

var payload = sorrow.array

Similar to sorrow.object, but an array instead.


Changelog:

3/21/15: v1.0.4 - Updated package.json with github issues url.

About

A fuzzing library that allows creating malicious payloads based on Joi validator schemas.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published