How to ensure all URLs(web server) are covered by the fuzzing process #2254

JohenanLi · 2024-11-24T10:28:35Z

JohenanLi
Nov 24, 2024

Hi everyone,

I’m currently working on fuzzing a router’s backend HTTP server (httpd) using AFL++. The HTTP server processes POST requests, and the request parameters often contain various values that need to be mutated. I've collected all the POST requests and their parameters, and I have a basic understanding of how AFL++ can fuzz these requests. However, I’m facing a specific challenge related to URL coverage and would appreciate your insights on how to handle it effectively.

Problem:

My router backend has around 130 different POST endpoints, each corresponding to a specific URL path. Each of these endpoints can potentially have vulnerabilities, but when running AFL++, it seems like only a subset of the POST requests (about 32 out of 130) are being mutated and tested, while the rest are not getting as much coverage. The issue is that even though AFL++ is not fuzzing all the endpoints equally, the uncovered ones still might have vulnerabilities.

My Current Approach:

I’ve been running multiple instances of AFL++ (one for each POST endpoint) with the idea that each instance would fuzz a different URL, but I’m unsure if this approach is the most efficient and effective. My goal is to ensure that all URLs are covered by the fuzzing process, even if they aren’t being favored by AFL++ automatically.

Question:

I’ve been considering using the afl_custom_mutator API to handle this issue, but I’m unsure how best to proceed. Specifically:

How can I use afl_custom_mutator to ensure that all different POST URL paths are covered and tested?
How can I ensure that even URLs with lower fuzzing frequency are tested?
Should I modify AFL++'s mutation score or use fuzz_count() to control how often each URL is mutated?
Has anyone else faced a similar issue with URL-specific coverage and how did you solve it?

What I’m Looking For:

Any suggestions, best practices, or examples from the community on how to ensure all URL paths are covered effectively during fuzzing.

Thanks in advance for any help or suggestions!

vanhauser-thc · 2024-11-26T18:19:13Z

vanhauser-thc
Nov 26, 2024
Maintainer

fuzzing a webserver with afl++ is not optimal as afl++ does not know about headers, variables etc.
grabbing all endpoints, parameters and headers supported by the webserver, and writing a python script that enumerates all of that with a list of bad inputs will likely be more successful.
too many mutations that afl++ does will result in an invalid request.
if you want to fuzz the webserver itself, then yes afl++ is somewhat good for that. for fuzzing various endpoints not, because afl++ cannot identify sql injections, command injections etc. (there is a possibility to do that if you have source code though)

1 reply

JohenanLi Dec 1, 2024
Author

Thanks for your reply. I intend to fuzz the web server itself, but for closed-source web servers used by vendors, the endpoints and parameters are fixed. Since the web server is a binary program, it seems like I would need to create a tool that combines boofuzz and AFL++.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

How to ensure all URLs(web server) are covered by the fuzzing process #2254

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

How to ensure all URLs(web server) are covered by the fuzzing process #2254

Uh oh!

JohenanLi Nov 24, 2024

Problem:

My Current Approach:

Question:

What I’m Looking For:

Replies: 1 comment · 1 reply

Uh oh!

vanhauser-thc Nov 26, 2024 Maintainer

Uh oh!

JohenanLi Dec 1, 2024 Author

JohenanLi
Nov 24, 2024

Replies: 1 comment 1 reply

vanhauser-thc
Nov 26, 2024
Maintainer

JohenanLi Dec 1, 2024
Author