Welcome to Awesome Fuzzing
A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.
Contents
Awesome Fuzzing Resources
Books
Books on fuzzing
-
Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton, Adam Greene, Pedram Amini.
-
Fuzzing for Software Security Testing and Quality Assurance by Ari Takanen, Charles Miller, Jared D Demott and Atte Kettunen.
-
Open Source Fuzzing Tools by by Gadi Evron and Noam Rathaus.
-
Gray Hat Python by Justin Seitz.
-
The Fuzzing Book by Andreas Zeller, Rahul Gopinath, Marcel Böhme, Gordon Fraser, and Christian Holler.
Note: Chapter(s) in the following books are dedicated to fuzzing.
- The Shellcoder's Handbook: Discovering and Exploiting Security Holes ( Chapter 15 ) by Chris Anley, Dave Aitel, David Litchfield and others.
- iOS Hacker's Handbook - Chapter 1 Charles Miller, Dino DaiZovi, Dion Blazakis, Ralf-Philip Weinmann, and Stefan Esser.
Courses
Courses/Training videos on fuzzing
Free
NYU Poly ( see videos for more ) - Made available freely by Dan Guido.
Samclass.info ( check projects section and chapter 17 ) - by Sam.
Modern Binary Exploitation ( RPISEC ) - Chapter 15 - by RPISEC.
Offensive Computer Security - Week 6 - by W. Owen Redwood and Prof. Xiuwen Liu.
Paid
Offensive Security, Cracking The Perimeter ( CTP ) and Advanced Windows Exploitation ( AWE )
SANS 660/760 Advanced Exploit Development for Penetration Testers
Exodus Intelligence - Vulnerability development master class
Videos
Videos talking about fuzzing techniques, tools and best practices
NYU Poly Course videos
Fuzzing 101 (Part 1) - by Mike Zusman.
Fuzzing 101 (Part 2) - by Mike Zusman.
Fuzzing 101 (2009) - by Mike Zusman.
Fuzzing - Software Security Course on Coursera - by University of Maryland.
Conference talks and tutorials
Youtube Playlist of various fuzzing talks and presentations - Lots of good content in these videos.
Browser bug hunting - Memoirs of a last man standing - by Atte Kettunen
Coverage-based Greybox Fuzzing as Markov Chain
DerbyCon 2016: Fuzzing basics...or how to break software
Tutorials and Blogs
Tutorials and blogs which explain methodology, techniques and best practices of fuzzing
Effective File Format Fuzzing - Mateusz “j00ru” Jurczyk @ Black Hat Europe 2016, London
A year of Windows kernel font fuzzing Part-1 the results - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.
A year of Windows kernel font fuzzing Part-2 the techniques - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.
Interesting bugs and resources at fuzzing project - by fuzzing-project.org.
Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry.
A gentle introduction to fuzzing C++ code with AFL and libFuzzer - by Jeff Trull.
A 15 minute introduction to fuzzing - by folks at MWR Security.
Note: Folks at fuzzing.info has done a great job of collecting some awesome links, I'm not going to duplicate their work. I will add papers missed by them and from 2015 and 2016. Fuzzing Papers - by fuzzing.info
Fuzzing Blogs - by fuzzing.info
Root Cause Analysis of the Crash during Fuzzing - by Corelan Team. Root cause analysis of integer flow - by Corelan Team.
Creating custom peach fuzzer publishers - by Open Security Research
7 Things to Consider Before Fuzzing a Large Open Source Project - by Emily Ratliff.
From Fuzzing to Exploit:
From fuzzing to 0-day - by Harold Rodriguez(@superkojiman).
From crash to exploit - by Corelan Team.
Peach Fuzzer related tutorials
Fuzzing with Peach Part 1 - by Jason Kratzer of corelan team
Fuzzing with Peach Part 2 - by Jason Kratzer of corelan team.
Auto generation of Peach pit files/fuzzers - by Frédéric Guihéry, Georges Bossert.
AFL Fuzzer related tutorials
Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry.
Fuzzing capstone using AFL persistent mode - by @toasted_flakes
RAM disks and saving your SSD from AFL Fuzzing
Bug Hunting with American Fuzzy Lop
Advanced usage of American Fuzzy Lop with real world examples
Segfaulting Python with afl-fuzz
Fuzzing With AFL-Fuzz, a Practical Example ( AFL vs Binutils )
The Importance of Fuzzing...Emulators?
How Heartbleed could've been found
Filesystem Fuzzing with American Fuzzy lop
Fuzzing Perl/XS modules with AFL
How to fuzz a server with American Fuzzy Lop - by Jonathan Foote
Fuzzing with AFL Workshop - a set of challenges on real vulnerabilities
libFuzzer Fuzzer related tutorials
libFuzzer Workshop: "Modern fuzzing of C/C++ Projects"
honggfuzz related tutorials
Double-Free RCE in VLC. A honggfuzz how-to
Spike Fuzzer related tutorials
Fuzzing with Spike to find overflows
Fuzzing with Spike - by samclass.info
FOE Fuzzer related tutorials
Fuzzing with FOE - by Samclass.info
SMT/SAT solver tutorials
Z3 - A guide - Getting Started with Z3: A Guide
Building a Feedback Fuzzer (for educational purposes)
Building A Feedback Fuzzer - by @fady_othman
Tools
Tools which helps in fuzzing applications
Cloud Fuzzers
Fuzzers which help fuzzing in cloud environments.
Cloudfuzzer - Cloud fuzzing framework which makes it possible to easily run automated fuzz-testing in cloud environments.
ClusterFuzzer - ClusterFuzzer, scalable open source fuzzing infrastructure. It is used by Google for fuzzing Chrome Browser.
Fuzzit - Fuzzit, Continuous fuzzing as a service platform. Free for open source. used by various open-source projects (systemd, radare2) and close-source projects. To join oss program drop a line at oss@fuzzit.dev
File Format Fuzzers
Fuzzers which helps in fuzzing file formats like pdf, mp3, swf etc.,
MiniFuzz - Wayback Machine link - Basic file format fuzzing tool by Microsoft. (No longer available on Microsoft website).
BFF from CERT - Basic Fuzzing Framework for file formats.
AFL Fuzzer (Linux only) - American Fuzzy Lop Fuzzer by Michal Zalewski aka lcamtuf
Win AFL - A fork of AFL for fuzzing Windows binaries by Ivan Fratic
Shellphish Fuzzer - A Python interface to AFL, allowing for easy injection of testcases and other functionality.
TriforceAFL - A modified version of AFL that supports fuzzing for applications whose source code not available.
AFLGo - Directed Greybox Fuzzing with AFL, to fuzz targeted locations of a program.
Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers.
MozPeach - A fork of peach 2.7 by Mozilla Security.
Failure Observation Engine (FOE) - mutational file-based fuzz testing tool for windows applications.
rmadair - mutation based file fuzzer that uses PyDBG to monitor for signals of interest.
honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage. Supports GNU/Linux, FreeBSD, Mac OSX and Android.
zzuf - A transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program's input.
radamsa - A general purpose fuzzer and test case generator.
binspector - A binary format analysis and fuzzing tool
grammarinator - Fuzzing tool for file formats based on ANTLR v4 grammars (lots of grammars already available from the ANTLR project).
Network Protocol Fuzzers
Fuzzers which helps in fuzzing applications which use network based protocals like HTTP, SSH, SMTP etc.,
Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers.
Sulley - A fuzzer development and fuzz testing framework consisting of multiple extensible components by Pedram Amini.
boofuzz - A fork and successor of Sulley framework.
Spike - A fuzzer development framework like sulley, a predecessor of sulley.
Metasploit Framework - A framework which contains some fuzzing capabilities via Auxiliary modules.
Nightmare - A distributed fuzzing testing suite with web administration, supports fuzzing using network protocols.
rage_fuzzer - A dumb protocol-unaware packet fuzzer/replayer.
Fuzzotron - A simple network fuzzer supporting TCP, UDP and multithreading.
Mutiny - The Mutiny Fuzzing Framework is a network fuzzer that operates by replaying PCAPs through a mutational fuzzer.
Fuzzing For Worms - A fuzzing framework for network servers.
AFL (w/ networking patch) - An unofficial american fuzzy lop capable of network fuzzing.
Browser Fuzzing
BFuzz - An input based, browser fuzzing framework.
Misc
Other notable fuzzers like Kernel Fuzzers, general purpose fuzzer etc.,
Choronzon - An evolutionary knowledge-based fuzzer
QuickFuzz - A tool written in Haskell designed for testing un-expected inputs of common file formats on third-party software, taking advantage of off-the-shelf, well known fuzzers.
gramfuzz - A grammar-based fuzzer that lets one define complex grammars to model text and binary data formats
KernelFuzzer - Cross Platform Kernel Fuzzer Framework.
honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options.
Hodor Fuzzer - Yet Another general purpose fuzzer.
libFuzzer - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.
syzkaller - Distributed, unsupervised, coverage-guided Linux syscall fuzzer.
ansvif - An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code.
Tribble - Easy-to-use, coverage-guided JVM fuzzing framework.
go-fuzz - Coverage-guided testing of go packages.
FExM - Automated Large-Scale Fuzzing Framework
Taint Analysis
How user input affects the execution
PANDA ( Platform for Architecture-Neutral Dynamic Analysis )
QIRA (QEMU Interactive Runtime Analyser)
kfetch-toolkit - Tool to perform advanced logging of memory references performed by operating systems’ kernels
moflow - A software security framework containing tools for vulnerability, discovery, and triage.
Symbolic Execution SAT and SMT Solvers
Z3 - A theorem prover from Microsoft Research.
SMT-LIB - An international initiative aimed at facilitating research and development in Satisfiability Modulo Theories (SMT)
References
I haven't included some of the legends like AxMan, please refer the following link for more information. https://www.ee.oulu.fi/research/ouspg/Fuzzers
Essential Tools
Tools of the trade for exploit developers, reverse engineers
Debuggers
Windbg - The preferred debugger by exploit writers.
Immunity Debugger - Immunity Debugger by Immunity Sec.
OllyDbg - The debugger of choice by reverse engineers and exploit writers alike.
Mona.py ( Plugin for windbg and Immunity dbg ) - Awesome tools that makes life easy for exploit developers.
x64dbg - An open-source x64/x32 debugger for windows.
Evan's Debugger (EDB) - Front end for gdb.
GDB - Gnu Debugger - The favorite linux debugger.
PEDA - Python Exploit Development Assistance for GDB.
Radare2 - Framework for reverse-engineering and analyzing binaries.
Disassemblers and some more
Dissemblers, disassembly frameworks etc.,
IDA Pro - The best disassembler
binnavi - Binary analysis IDE, annotates control flow graphs and call graphs of disassembled code.
Capstone - Capstone is a lightweight multi-platform, multi-architecture disassembly framework.
Others
ltrace - Intercepts library calls
strace - Intercepts system calls
Vulnerable Applications
Exploit-DB - https://www.exploit-db.com (search and pick the exploits, which have respective apps available for download, reproduce the exploit by using fuzzer of your choice)
PacketStorm - https://packetstormsecurity.com/files/tags/exploit/
Fuzzgoat - Vulnerable C program for testing fuzzers.
vulnserver - A vulnerable server for testing fuzzers.
Samples files for seeding during fuzzing:
https://files.fuzzing-project.org/
MS Office file format documentation
Fuzzer Test Suite - Set of tests for fuzzing engines. Includes different well-known bugs such as Heartbleed, c-ares $100K bug and others.
Fuzzing Corpus - A corpus, including various file formats for fuzzing multiple targets in the fuzzing literature.
Anti Fuzzing
Introduction to Anti-Fuzzing: A Defence In-Depth Aid
Fuzzification: Anti-Fuzzing Techniques
AntiFuzz: Impeding Fuzzing Audits of Binary Executables
Contributing
Please refer the guidelines at contributing.md for details.
Thanks to the following folks who made contributions to this project.