Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it’s a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language (“FuzzIL”) which can be mutated and translated to JavaScript.
When fuzzing for core interpreter bugs, e.g. in JIT compilers, semantic correctness of generated programs becomes a concern. This is in contrast to most other scenarios, e.g. fuzzing of runtime APIs, in which case semantic correctness can easily be worked around by wrapping the generated code in try-catch constructs. There are different possibilities to achieve an acceptable rate of semantically correct samples, one of them being a mutational approach in which all samples in the corpus are also semantically valid. In that case, each mutation only has a small chance of turning a valid sample into an invalid one.
Using Fuzzilli JavaScript Engine Fuzzing Library
The basic steps to use this fuzzer are:
- Download the source code for one of the supported JavaScript engines. See the Targets/ directory for the list of supported JavaScript engines.
- Apply the corresponding patches from the target’s directory. Also see the README.md in that directory.
- Compile the engine with coverage instrumentation (requires clang >= 4.0) as described in the README.
- Compile the fuzzer:
swift build [-c release]. - Run the fuzzer:
swift run [-c release] FuzzilliCli --profile=. See also swift run[other cli options] /path/to/jsshell FuzzilliCli --help.
How FuzzIl works
FuzzIL has a number of properties:
- A FuzzIL program is simply a list of instructions.
- A FuzzIL instruction is an operation together with input and output variables and potentially one or more parameters (enclosed in single quotes in the notation above).
- Inputs to instructions are always variables, there are no immediate values.
- Every output of an instruction is a new variable, and existing variables can only be reassigned through dedicated operations such as the Reassign instruction.
- Every variable is defined before it is used.
A number of mutations can then be performed on these programs:
- InputMutator: replaces input variables of instructions with different ones to mutate the dataflow of the program.
- CodeGenMutator: generates code and inserts it somewhere in the mutated program. Code is generated either by running a code generator or by copying some instructions from another program in the corpus (splicing).
- CombineMutator: inserts a program from the corpus into a random position in the mutated program.
- OperationMutator: mutates the parameters of operations, for example replacing an integer constant with a different one.
- and more…
You can download Fuzzilli here:
Or read more here.
Topic: Exploits/Vulnerabilities
OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing HTTP APIs tools, creates execution chains easily and is designed for integration with third-party tools in mind.
APICheck is comprised of a set of tools that can be connected to each other to achieve different functionalities, depending on how they are connected. It allows you to create execution chains and it can not only integrate self-developed tools but also can leverage existing tools in order to take advantage of them to provide new functionality.
Each tool in APICheck is a Docker image. This means that tools are a black box that could receive some information into its standard input and write results to the standard or error outputs. Additionally, the return code can be used to stop the current chain.
Who is APICheck HTTP API DevSecOps Toolset for?
APICheck focuses not only in the security testing and hacking use cases, the goal of the project is to become a complete toolset for DevSecOps cycles. The tools are aimed to different user profiles:
- Developers
- System Administrators
- Security Engineers & Penetration Testers
To allow interoperability among commands and tools, all of them share a common JSON data format. In other words, APICheck commands output JSON documents, and accept them as input, too. This allows you to build pipelines (as we showed in the previous section).
Using APICheck HTTP API DevSecOps Toolset
Once installed, you can run the Package Manager by using the command acp.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
$ acp Usage: acp [-h] [-w] {list,info,install,version} ... APICheck Manager positional arguments: {list,info,install,version} available actions list search in A info show expanded tool info install install an APICheck tool version displays version optional arguments: -h, --help show this help message and exit -w, --disable-warning disable check of RC Shell File |
You can download APICheck here:
|
1 |
pip install apicheck-package-manager |
Or read more here.
Topic: Security Software
trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed across multiple cloud providers and provides advanced options around scheduling and IP pooling.
trident was designed and built to fulfill several requirements and to provide:
- the ability to be deployed on several cloud platforms/execution providers
- the ability to schedule spraying campaigns in accordance with a target’s account lockout policy
- the ability to increase the IP pool that authentication attempts originate from for operational security purposes
- the ability to quickly extend functionality to include newly-encountered authentication platforms
Using trident Password Spraying Tool
|
1 2 3 4 5 6 7 8 9 10 11 |
Usage: trident-cli campaign [flags] Flags: -a, --auth-provider string this is the authentication platform you are attacking (default "okta") -h, --help help for campaign -i, --interval duration requests will happen with this interval between them (default 1s) -b, --notbefore string requests will not start before this time (default "2020-09-09T22:31:38.643959-05:00") -p, --passfile string file of passwords (newline separated) -u, --userfile string file of usernames (newline separated) -w, --window duration a duration that this campaign will be active (ex: 4w) (default 672h0m0s) |
Example output:
|
1 2 3 4 5 6 7 8 |
$ trident-client results +----+-------------------+------------+-------+ | ID | USERNAME | PASSWORD | VALID | +----+-------------------+------------+-------+ | 1 | alice@example.org | Password1! | true | | 2 | bob@example.org | Password2! | true | | 3 | eve@example.org | Password3! | true | +----+-------------------+------------+-------+ |
You can download trident here:
Or read more here.
Topic: Password Cracking Tools
tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services or to nothing at all or NS records that are mistyped.
What does tko-subs – Detect & Takeover Subdomains With Dead DNS Records Do?
This tool allows you:
- To check whether a subdomain can be taken over because it has:
- a dangling CNAME pointing to a CMS provider (Heroku, Github, Shopify, Amazon S3, Amazon CloudFront, etc.) that can be taken over.
- a dangling CNAME pointing to a non-existent domain name
- one or more wrong/typoed NS records pointing to a nameserver that can be taken over by an attacker to gain control of the subdomain’s DNS records
- To actually take over those subdomain by providing a flag
-takeover. Currently, take over is only supported for Github Pages and Heroku Apps and by default the take over functionality is off. - To specify your own CMS providers and check for them via the providers-data.csv file. In that file, you would mention the CMS name, their CNAME value, their string that you want to look for and whether it only works over HTTP or not. Check it out for some examples.
How to install tko-subs to takeover subdomains with dead DNS records
You need GO installed. Once you have GO, just type go get github.com/anshumanbh/tko-subs to download the tool.
Once the tool is downloaded, type tko-subs -h.
The next thing we need to do is to get the following information:
- Github’s Personal Access Token – Make sure this token has the rights to create repositories, references, contents, etc. You can create this token here – https://github.com/settings/tokens
- Heroku Username and API key
- Heroku app name – You can create a static app on Heroku with whatever you want to be displayed on its homepage by following the instructions here – https://gist.github.com/wh1tney/2ad13aa5fbdd83f6a489. Once you create that app, use that app name in the flag (see below). We will use that app to take over the domain (with the dangling CNAME to another Heroku app).
NOTE – You only need these values if you want to take over subdomains. By default, that’s not required.
Required Go Packages to build.
|
1 2 3 4 5 6 7 |
go get github.com/bgentry/heroku-go go get github.com/gocarina/gocsv go get github.com/google/go-github/github go get github.com/olekukonko/tablewriter go get golang.org/x/net/publicsuffix go get golang.org/x/oauth2 go get github.com/miekg/dns |
You can download tko-subs here:
Or read more here.
Topic: Hacking Tools
Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories. It was created to help illustrate why Cydia repositories can be dangerous and what post-exploitation attacks are possible from a compromised iOS device. How Arcane Tool To Backdoor iOS Package Works It’s possible to supply […]
Topic: Hacking Tools
SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike’s execute-assembly. It provides a flexible way to interact with Active Directory using domain-joined and non-joined contexts, while also being able to target specific domains and domain controllers. The tool […]
Topic: Password Cracking Tools