/Awesome-Fuzzing

A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.

Creative Commons Zero v1.0 UniversalCC0-1.0

Welcome to Awesome Fuzzing Awesome

A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.

Contents

Awesome Fuzzing Resources

Books

Books on fuzzing

Note: Chapter(s) in the following books are dedicated to fuzzing.

Courses

Courses/Training videos on fuzzing

Free

NYU Poly ( see videos for more ) - Made available freely by Dan Guido.

Samclass.info ( check projects section and chapter 17 ) - by Sam.

Modern Binary Exploitation ( RPISEC ) - Chapter 15 - by RPISEC.

Offensive Computer Security - Week 6 - by W. Owen Redwood and Prof. Xiuwen Liu.

Paid

Offensive Security, Cracking The Perimeter ( CTP ) and Advanced Windows Exploitation ( AWE )

SANS 660/760 Advanced Exploit Development for Penetration Testers

Exodus Intelligence - Vulnerability development master class

Ada Logics - Applied Source Code Fuzzing

FuzzingLabs Academy (C/C++, Rust, Go fuzzing)

Signal Labs - Vulnerability Research & Fuzzing

Videos

Videos talking about fuzzing techniques, tools and best practices

NYU Poly Course videos

Fuzzing 101 (Part 1) - by Mike Zusman.

Fuzzing 101 (Part 2) - by Mike Zusman.

Fuzzing 101 (2009) - by Mike Zusman.

Fuzzing - Software Security Course on Coursera - by University of Maryland.

Conference talks and tutorials

Attacking Antivirus Software's Kernel Driver

Fuzzing the Windows Kernel - OffensiveCon 2020

Youtube Playlist of various fuzzing talks and presentations - Lots of good content in these videos.

Browser bug hunting - Memoirs of a last man standing - by Atte Kettunen

Coverage-based Greybox Fuzzing as Markov Chain

DerbyCon 2016: Fuzzing basics...or how to break software

Fuzz Theory - by Brandon Falk

Tutorials and Blogs

Tutorials and blogs which explain methodology, techniques and best practices of fuzzing

ARMored CoreSight: Towards Efficient Binary-only Fuzzing

Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology

Fuzzing Closed Source PDF Viewers

Fuzzing Image Parsing in Windows, Part One: Color Profiles

Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory

Fuzzing Image Parsing in Windows, Part Three: RAW and HEIF

Fuzzing the Office Ecosystem

Effective File Format Fuzzing - Mateusz “j00ru” Jurczyk @ Black Hat Europe 2016, London

A year of Windows kernel font fuzzing Part-1 the results - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.

A year of Windows kernel font fuzzing Part-2 the techniques - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.

Interesting bugs and resources at fuzzing project - by fuzzing-project.org.

Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry.

A gentle introduction to fuzzing C++ code with AFL and libFuzzer - by Jeff Trull.

A 15 minute introduction to fuzzing - by folks at MWR Security.

Note: Folks at fuzzing.info has done a great job of collecting some awesome links, I'm not going to duplicate their work. I will add papers missed by them and from 2015 and 2016. Fuzzing Papers - by fuzzing.info

Fuzzing Blogs and Books - by fuzzing.info

Root Cause Analysis of the Crash during Fuzzing - by Corelan Team.

Root cause analysis of integer flow - by Corelan Team.

Creating custom peach fuzzer publishers - by Open Security Research

7 Things to Consider Before Fuzzing a Large Open Source Project - by Emily Ratliff.

From Fuzzing to Exploit:

From fuzzing to 0-day - by Harold Rodriguez(@superkojiman).

From crash to exploit - by Corelan Team.

Peach Fuzzer related tutorials

Peach Fuzzer Introductionh

Fuzzing with Peach Part 1 - by Jason Kratzer of corelan team

Fuzzing with Peach Part 2 - by Jason Kratzer of corelan team.

Auto generation of Peach pit files/fuzzers - by Frédéric Guihéry, Georges Bossert.

AFL Fuzzer related tutorials

Creating a fuzzing harness for FoxitReader 9.7 ConvertToPDF Function

50 CVEs in 50 Days: Fuzzing Adobe Reader

Fuzzing sockets, part 1: FTP servers

Fuzzing software: common challenges and potential solutions (Part 1)

Fuzzing software: advanced tricks (Part 2)

Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry.

Fuzzing capstone using AFL persistent mode - by @toasted_flakes

RAM disks and saving your SSD from AFL Fuzzing

Bug Hunting with American Fuzzy Lop

Advanced usage of American Fuzzy Lop with real world examples

Segfaulting Python with afl-fuzz

Fuzzing With AFL-Fuzz, a Practical Example ( AFL vs Binutils )

The Importance of Fuzzing...Emulators?

How Heartbleed could've been found

Filesystem Fuzzing with American Fuzzy lop

Fuzzing Perl/XS modules with AFL

How to fuzz a server with American Fuzzy Lop - by Jonathan Foote

Fuzzing with AFL Workshop - a set of challenges on real vulnerabilities

Fuzzing 101 - PHDays

libFuzzer Fuzzer related tutorials

libFuzzer Tutorial

Hunting for bugs in VirtualBox (First Take)

libFuzzer Workshop: "Modern fuzzing of C/C++ Projects"

honggfuzz related tutorials

Fuzzing ImageIO

Double-Free RCE in VLC. A honggfuzz how-to

Spike Fuzzer related tutorials

Fuzzing with Spike to find overflows

Fuzzing with Spike - by samclass.info

FOE Fuzzer related tutorials

Fuzzing with FOE - by Samclass.info

SMT/SAT solver tutorials

Z3 - A guide - Getting Started with Z3: A Guide

Building a Feedback Fuzzer (for educational purposes)

Building A Feedback Fuzzer - by @fady_othman

Tools

Tools which helps in fuzzing applications

Cloud Fuzzers

Fuzzers which help fuzzing in cloud environments.

Cloudfuzzer - Cloud fuzzing framework which makes it possible to easily run automated fuzz-testing in cloud environments.

ClusterFuzzer - ClusterFuzzer, scalable open source fuzzing infrastructure. It is used by Google for fuzzing Chrome Browser.

Fuzzit - Fuzzit, Continuous fuzzing as a service platform. Free for open source. used by various open-source projects (systemd, radare2) and close-source projects. To join oss program drop a line at oss@fuzzit.dev

File Format Fuzzers

Fuzzers which helps in fuzzing file formats like pdf, mp3, swf etc.,

Jackalope

Rehepapp

Newer version of Rehepapp

pe-afl combines static binary instrumentation on PE binary and WinAFL

MiniFuzz - Wayback Machine link - Basic file format fuzzing tool by Microsoft. (No longer available on Microsoft website).

BFF from CERT - Basic Fuzzing Framework for file formats.

AFL Fuzzer (Linux only) - American Fuzzy Lop Fuzzer by Michal Zalewski aka lcamtuf

Win AFL - A fork of AFL for fuzzing Windows binaries

Shellphish Fuzzer - A Python interface to AFL, allowing for easy injection of testcases and other functionality.

TriforceAFL - A modified version of AFL that supports fuzzing for applications whose source code not available.

AFLGo - Directed Greybox Fuzzing with AFL, to fuzz targeted locations of a program.

Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers.

MozPeach - A fork of peach 2.7 by Mozilla Security.

Failure Observation Engine (FOE) - mutational file-based fuzz testing tool for windows applications.

rmadair - mutation based file fuzzer that uses PyDBG to monitor for signals of interest.

honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage. Supports GNU/Linux, FreeBSD, Mac OSX and Android.

zzuf - A transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program's input.

radamsa - A general purpose fuzzer and test case generator.

binspector - A binary format analysis and fuzzing tool

grammarinator - Fuzzing tool for file formats based on ANTLR v4 grammars (lots of grammars already available from the ANTLR project).

Sloth - Sloth 🦥 is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation.

ManuFuzzer - Binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM.

Network Protocol Fuzzers

Fuzzers which helps in fuzzing applications which use network based protocals like HTTP, SSH, SMTP etc.,

Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers.

Sulley - A fuzzer development and fuzz testing framework consisting of multiple extensible components by Pedram Amini.

boofuzz - A fork and successor of Sulley framework.

Spike - A fuzzer development framework like sulley, a predecessor of sulley.

Metasploit Framework - A framework which contains some fuzzing capabilities via Auxiliary modules.

Nightmare - A distributed fuzzing testing suite with web administration, supports fuzzing using network protocols.

rage_fuzzer - A dumb protocol-unaware packet fuzzer/replayer.

Fuzzotron - A simple network fuzzer supporting TCP, UDP and multithreading.

Mutiny - The Mutiny Fuzzing Framework is a network fuzzer that operates by replaying PCAPs through a mutational fuzzer.

Fuzzing For Worms - A fuzzing framework for network servers.

AFL (w/ networking patch) - An unofficial american fuzzy lop capable of network fuzzing.

AFLNet - A Greybox Fuzzer for Network Protocols (an extention of AFL).

Pulsar - Protocol Learning, Simulation and Stateful Fuzzer.

Browser Fuzzing

BFuzz - An input based, browser fuzzing framework. Fuzzinator - Fuzzinator Random Testing Framework Grizzly - A cross-platform browser fuzzing framework

Misc

Other notable fuzzers like Kernel Fuzzers, general purpose fuzzer etc.,

Choronzon - An evolutionary knowledge-based fuzzer

QuickFuzz - A tool written in Haskell designed for testing un-expected inputs of common file formats on third-party software, taking advantage of off-the-shelf, well known fuzzers.

gramfuzz - A grammar-based fuzzer that lets one define complex grammars to model text and binary data formats

KernelFuzzer - Cross Platform Kernel Fuzzer Framework.

honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options.

Hodor Fuzzer - Yet Another general purpose fuzzer.

libFuzzer - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.

syzkaller - Distributed, unsupervised, coverage-guided Linux syscall fuzzer.

ansvif - An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code.

Tribble - Easy-to-use, coverage-guided JVM fuzzing framework.

go-fuzz - Coverage-guided testing of go packages.

FExM - Automated Large-Scale Fuzzing Framework

Jazzer - A coverage-guided, in-process fuzzer for the Java Virtual Machine based on libFuzzer.

cifuzz - A command line tool for executing coverage-guided fuzz tests in multiple languages and targets.

WebGL Fuzzer - WebGL Fuzzer

fast-check - A fuzzer tool written in TypeScript and designed to run un-expected inputs against JavaScript code.

Taint Analysis

How user input affects the execution

PANDA ( Platform for Architecture-Neutral Dynamic Analysis )

QIRA (QEMU Interactive Runtime Analyser)

kfetch-toolkit - Tool to perform advanced logging of memory references performed by operating systems’ kernels

moflow - A software security framework containing tools for vulnerability, discovery, and triage.

Symbolic Execution SAT and SMT Solvers

Z3 - A theorem prover from Microsoft Research.

SMT-LIB - An international initiative aimed at facilitating research and development in Satisfiability Modulo Theories (SMT)

Symbolic execution with KLEE: From installation and introduction to bug-finding in open source software - A set of four instructional videos introducing KLEE, starting with how to get started with KLEE and ending with a demo that finds memory corruption bugs in real code.

References

I haven't included some of the legends like AxMan, please refer the following link for more information. https://www.ee.oulu.fi/research/ouspg/Fuzzers

Essential Tools

Tools of the trade for exploit developers, reverse engineers

Debuggers

Windbg - The preferred debugger by exploit writers.

Immunity Debugger - Immunity Debugger by Immunity Sec.

OllyDbg - The debugger of choice by reverse engineers and exploit writers alike.

Mona.py ( Plugin for windbg and Immunity dbg ) - Awesome tools that makes life easy for exploit developers.

x64dbg - An open-source x64/x32 debugger for windows.

Evan's Debugger (EDB) - Front end for gdb.

GDB - Gnu Debugger - The favorite linux debugger.

PEDA - Python Exploit Development Assistance for GDB.

Radare2 - Framework for reverse-engineering and analyzing binaries.

Disassemblers and some more

Dissemblers, disassembly frameworks etc.,

IDA Pro - The best disassembler

binnavi - Binary analysis IDE, annotates control flow graphs and call graphs of disassembled code.

Capstone - Capstone is a lightweight multi-platform, multi-architecture disassembly framework.

Others

ltrace - Intercepts library calls

strace - Intercepts system calls

Vulnerable Applications

Exploit-DB - https://www.exploit-db.com (search and pick the exploits, which have respective apps available for download, reproduce the exploit by using fuzzer of your choice)

PacketStorm - https://packetstormsecurity.com/files/tags/exploit/

Fuzzgoat - Vulnerable C program for testing fuzzers.

vulnserver - A vulnerable server for testing fuzzers.

Samples files for seeding during fuzzing:

https://files.fuzzing-project.org/

PDF Test Corpus from Mozilla

MS Office file format documentation

Fuzzer Test Suite - Set of tests for fuzzing engines. Includes different well-known bugs such as Heartbleed, c-ares $100K bug and others.

Fuzzing Corpus - A corpus, including various file formats for fuzzing multiple targets in the fuzzing literature.

Anti Fuzzing

Introduction to Anti-Fuzzing: A Defence In-Depth Aid

Fuzzification: Anti-Fuzzing Techniques

AntiFuzz: Impeding Fuzzing Audits of Binary Executables

Directed Fuzzing

Awesome Directed Fuzzing: A curated list of awesome directed fuzzing research papers.

Contributing

Please refer the guidelines at contributing.md for details.

Thanks to the following folks who made contributions to this project.