A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.
Books on fuzzing
-
Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton, Adam Greene, Pedram Amini.
-
Fuzzing for Software Security Testing and Quality Assurance by Ari Takanen, Charles Miller, Jared D Demott and Atte Kettunen.
-
Open Source Fuzzing Tools by by Gadi Evron and Noam Rathaus.
-
Gray Hat Python by Justin Seitz.
Note: Chapter(s) in the following books are dedicated to fuzzing.
- The Shellcoder's Handbook: Discovering and Exploiting Security Holes ( Chapter 15 ) by Chris Anley, Dave Aitel, David Litchfield and others.
- iOS Hacker's Handbook - Chapter 1 Charles Miller, Dino DaiZovi, Dion Blazakis, Ralf-Philip Weinmann, and Stefan Esser.
Courses/Training videos on fuzzing
NYU Poly ( see videos for more ) - Made available freely by Dan Guido.
Samclass.info ( check projects section and chapter 17 ) - by Sam.
Modern Binary Exploitation ( RPISEC ) - Chapter 15 - by RPISEC.
Offensive Computer Security - Week 6 - by W. Owen Redwood and Prof. Xiuwen Liu.
Offensive Security, Cracking The Perimeter ( CTP ) and Advanced Windows Exploitation ( AWE )
SANS 660/760 Advanced Exploit Development for Penetration Testers
Exodus Intelligence - Vulnerability development master class
Videos talking about fuzzing techniques, tools and best practices
Fuzzing 101 (Part 1) - by Mike Zusman.
Fuzzing 101 (Part 2) - by Mike Zusman.
Fuzzing 101 (2009) - by Mike Zusman.
Fuzzing - Software Security Course on Coursera - by University of Maryland.
Youtube Playlist of various fuzzing talks and presentations - Lots of good content in these videos.
Browser bug hunting - Memoirs of a last man standing - by Atte Kettunen
Coverage-based Greybox Fuzzing as Markov Chain
DerbyCon 2016: Fuzzing basics...or how to break software
Tutorials and blogs which explain methodology, techniques and best practices of fuzzing
Effective File Format Fuzzing - Mateusz “j00ru” Jurczyk @ Black Hat Europe 2016, London
A year of Windows kernel font fuzzing Part-1 the results - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.
A year of Windows kernel font fuzzing Part-2 the techniques - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.
Interesting bugs and resources at fuzzing project - by fuzzing-project.org.
Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry.
A gentle introduction to fuzzing C++ code with AFL and libFuzzer - by Jeff Trull.
A 15 minute introduction to fuzzing - by folks at MWR Security.
Note: Folks at fuzzing.info has done a great job of collecting some awesome links, I'm not going to duplicate their work. I will add papers missed by them and from 2015 and 2016. Fuzzing Papers - by fuzzing.info
Fuzzing Blogs - by fuzzing.info
Root Cause Analysis of the Crash during Fuzzing - by Corelan Team. Root cause analysis of integer flow - by Corelan Team.
Creating custom peach fuzzer publishers - by Open Security Research
7 Things to Consider Before Fuzzing a Large Open Source Project - by Emily Ratliff.
From fuzzing to 0-day - by Harold Rodriguez(@superkojiman).
From crash to exploit - by Corelan Team.
Fuzzing with Peach Part 1 - by Jason Kratzer of corelan team
Fuzzing with Peach Part 2 - by Jason Kratzer of corelan team.
Auto generation of Peach pit files/fuzzers - by Frédéric Guihéry, Georges Bossert.
Fuzzing workflows; a fuzz job from start to finish - by @BrandonPrry.
Fuzzing capstone using AFL persistent mode - by @toasted_flakes
RAM disks and saving your SSD from AFL Fuzzing
Bug Hunting with American Fuzzy Lop
Advanced usage of American Fuzzy Lop with real world examples
Segfaulting Python with afl-fuzz
Fuzzing With AFL-Fuzz, a Practical Example ( AFL vs Binutils )
The Importance of Fuzzing...Emulators?
How Heartbleed could've been found
Filesystem Fuzzing with American Fuzzy lop
Fuzzing Perl/XS modules with AFL
How to fuzz a server with American Fuzzy Lop - by Jonathan Foote
Fuzzing with AFL Workshop - a set of challenges on real vulnerabilities
libFuzzer Workshop: "Modern fuzzing of C/C++ Projects"
Double-Free RCE in VLC. A honggfuzz how-to
Fuzzing with Spike to find overflows
Fuzzing with Spike - by samclass.info
Fuzzing with FOE - by Samclass.info
Z3 - A guide - Getting Started with Z3: A Guide
Building A Feedback Fuzzer - by @fady_othman
Tools which helps in fuzzing applications
Fuzzers which help fuzzing in cloud environments.
Cloudfuzzer - Cloud fuzzing framework which makes it possible to easily run automated fuzz-testing in cloud environments.
ClusterFuzzer - ClusterFuzzer, scalable open source fuzzing infrastructure. It is used by Google for fuzzing Chrome Browser.
Fuzzit - Fuzzit, Continuous fuzzing as a service platform. Free for open source. used by various open-source projects (systemd, radare2) and close-source projects. To join oss program drop a line at oss@fuzzit.dev
Fuzzers which helps in fuzzing file formats like pdf, mp3, swf etc.,
MiniFuzz - Wayback Machine link - Basic file format fuzzing tool by Microsoft. (No longer available on Microsoft website).
BFF from CERT - Basic Fuzzing Framework for file formats.
AFL Fuzzer (Linux only) - American Fuzzy Lop Fuzzer by Michal Zalewski aka lcamtuf
Win AFL - A fork of AFL for fuzzing Windows binaries by Ivan Fratic
Shellphish Fuzzer - A Python interface to AFL, allowing for easy injection of testcases and other functionality.
TriforceAFL - A modified version of AFL that supports fuzzing for applications whose source code not available.
Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers.
MozPeach - A fork of peach 2.7 by Mozilla Security.
Failure Observation Engine (FOE) - mutational file-based fuzz testing tool for windows applications.
rmadair - mutation based file fuzzer that uses PyDBG to monitor for signals of interest.
honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage. Supports GNU/Linux, FreeBSD, Mac OSX and Android.
zzuf - A transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program's input.
radamsa - A general purpose fuzzer and test case generator.
binspector - A binary format analysis and fuzzing tool
grammarinator - Fuzzing tool for file formats based on ANTLR v4 grammars (lots of grammars already available from the ANTLR project).
Fuzzers which helps in fuzzing applications which use network based protocals like HTTP, SSH, SMTP etc.,
Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers.
Sulley - A fuzzer development and fuzz testing framework consisting of multiple extensible components by Pedram Amini.
boofuzz - A fork and successor of Sulley framework.
Spike - A fuzzer development framework like sulley, a predecessor of sulley.
Metasploit Framework - A framework which contains some fuzzing capabilities via Auxiliary modules.
Nightmare - A distributed fuzzing testing suite with web administration, supports fuzzing using network protocols.
rage_fuzzer - A dumb protocol-unaware packet fuzzer/replayer.
Fuzzotron - A simple network fuzzer supporting TCP, UDP and multithreading.
Mutiny - The Mutiny Fuzzing Framework is a network fuzzer that operates by replaying PCAPs through a mutational fuzzer.
Fuzzing For Worms - A fuzzing framework for network servers.
BFuzz - An input based, browser fuzzing framework.
Other notable fuzzers like Kernel Fuzzers, general purpose fuzzer etc.,
Choronzon - An evolutionary knowledge-based fuzzer
QuickFuzz - A tool written in Haskell designed for testing un-expected inputs of common file formats on third-party software, taking advantage of off-the-shelf, well known fuzzers.
gramfuzz - A grammar-based fuzzer that lets one define complex grammars to model text and binary data formats
KernelFuzzer - Cross Platform Kernel Fuzzer Framework.
honggfuzz - A general-purpose, easy-to-use fuzzer with interesting analysis options.
Hodor Fuzzer - Yet Another general purpose fuzzer.
libFuzzer - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.
syzkaller - Distributed, unsupervised, coverage-guided Linux syscall fuzzer.
ansvif - An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code.
Tribble - Easy-to-use, coverage-guided JVM fuzzing framework.
go-fuzz - Coverage-guided testing of go packages.
FExM - Automated Large-Scale Fuzzing Framework
How user input affects the execution
PANDA ( Platform for Architecture-Neutral Dynamic Analysis )
QIRA (QEMU Interactive Runtime Analyser)
kfetch-toolkit - Tool to perform advanced logging of memory references performed by operating systems’ kernels
moflow - A software security framework containing tools for vulnerability, discovery, and triage.
Z3 - A theorem prover from Microsoft Research.
SMT-LIB - An international initiative aimed at facilitating research and development in Satisfiability Modulo Theories (SMT)
I haven't included some of the legends like AxMan, please refer the following link for more information. https://www.ee.oulu.fi/research/ouspg/Fuzzers
Tools of the trade for exploit developers, reverse engineers
Windbg - The preferred debugger by exploit writers.
Immunity Debugger - Immunity Debugger by Immunity Sec.
OllyDbg - The debugger of choice by reverse engineers and exploit writers alike.
Mona.py ( Plugin for windbg and Immunity dbg ) - Awesome tools that makes life easy for exploit developers.
x64dbg - An open-source x64/x32 debugger for windows.
Evan's Debugger (EDB) - Front end for gdb.
GDB - Gnu Debugger - The favorite linux debugger.
PEDA - Python Exploit Development Assistance for GDB.
Radare2 - Framework for reverse-engineering and analyzing binaries.
Dissemblers, disassembly frameworks etc.,
IDA Pro - The best disassembler
binnavi - Binary analysis IDE, annotates control flow graphs and call graphs of disassembled code.
Capstone - Capstone is a lightweight multi-platform, multi-architecture disassembly framework.
ltrace - Intercepts library calls
strace - Intercepts system calls
Exploit-DB - https://www.exploit-db.com (search and pick the exploits, which have respective apps available for download, reproduce the exploit by using fuzzer of your choice)
PacketStorm - https://packetstormsecurity.com/files/tags/exploit/
Fuzzgoat - Vulnerable C program for testing fuzzers.
vulnserver - A vulnerable server for testing fuzzers.
https://files.fuzzing-project.org/
MS Office file format documentation
Fuzzer Test Suite - Set of tests for fuzzing engines. Includes different well-known bugs such as Heartbleed, c-ares $100K bug and others.
Fuzzing Corpus - A corpus, including various file formats for fuzzing multiple targets in the fuzzing literature.
Introduction to Anti-Fuzzing: A Defence In-Depth Aid
Please refer the guidelines at contributing.md for details.
Thanks to the following folks who made contributions to this project.