How to fuzz a simple http server

[ndm...@gmail.com]

Hi All,

I am very new to the world of fuzzing. I happened to come across afl while studying the basics.

I tried out afl with a video decoder and was able to run it successfully. Next I wanted to fuzz a 

simple http server, which essentially keeps on listening on a particular port for incoming connections.

I am able to check it from a browser (http://localhost:1234). But I am not able to find out how to fuzz the

server using afl.

Any help would be greatly appreciated.

Warm Regards,

Andy

[James Fell]

It isn't as straight forward. This article should help you:

https://www.fastly.com/blog/how-fuzz-server-american-fuzzy-lop

James

[Jacek Wielemborek]

W dniu 17.06.2016 o 11:03, ndm...@gmail.com pisze:

You might be interested in this as well:

https://groups.google.com/forum/#!searchin/afl-users/network/afl-users/HxSb9Mv0dfQ/sPv91xEeDQAJ

[Amy Armbrust]

And possibly this: https://lolware.net/2015/04/28/nginx-fuzzing.html

--
You received this message because you are subscribed to the Google Groups "afl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ndm...@gmail.com]

Thanks all for the useful links.

Warm Regards,

Andy

[smith...@gmail.com]

Hi,

I am also struggling to find out the same. It would be helpful if someone can provide a working sample code to test a basic http server using afl.

My server code looks like this,

#include <stdio.h>

#include <string.h>    //strlen

#include <sys/socket.h>

#include <arpa/inet.h> //inet_addr

#include <unistd.h>    //write

#include <stdlib.h>

#include <signal.h>

 

int main(int argc , char *argv[])

{

    int socket_desc , client_sock , c , read_size;

    struct sockaddr_in server , client;

    char client_message[2000];

     

    //Create socket

    socket_desc = socket(AF_INET , SOCK_STREAM, 0);

    if (socket_desc == -1)

    {

        printf("Could not create socket");

    }

    puts("Socket created");

     

    //Prepare the sockaddr_in structure

    server.sin_family = AF_INET;

    server.sin_addr.s_addr = INADDR_ANY;

    server.sin_port = htons( 8888 );

    // set SO_REUSEADDR on a socket to true (1):

    int optval = 1;

    setsockopt(socket_desc, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof optval);

     

    //Bind

    if( bind(socket_desc,(struct sockaddr *)&server , sizeof(server)) < 0)

    {

        //print the error message

        perror("bind failed. Error");

        return 1;

    }

    puts("bind done");

     

    //Listen

    listen(socket_desc , 3);

     

    //Accept and incoming connection

    puts("Waiting for incoming connections...");

    c = sizeof(struct sockaddr_in);

     

    //accept connection from an incoming client

    client_sock = accept(socket_desc, (struct sockaddr *)&client, (socklen_t*)&c);

    if (client_sock < 0)

    {

        perror("accept failed");

        return 1;

    }

    puts("Connection accepted");

     

    //Receive a message from client

    while( (read_size = recv(client_sock , client_message , 5000 , 0)) > 0 )

    {

    write(client_sock , client_message , strlen(client_message));

    if(read_size>10)

    break;

    }

     

    if(read_size == 0)

    {

        puts("Client disconnected");

        fflush(stdout);

    }

    else if(read_size == -1)

    {

        perror("recv failed");

    }

    close(socket_desc); 

    shutdown(socket_desc,0); 

    return 0;

}

Thanks,

Rob

On Friday, June 17, 2016 at 2:33:37 PM UTC+5:30, ndm...@gmail.com wrote:

[Tim Newsham]

On Thursday, June 16, 2016 at 11:03:37 PM UTC-10, ndm...@gmail.com wrote:

Hi All,

I am very new to the world of fuzzing. I happened to come across afl while studying the basics.

I tried out afl with a video decoder and was able to run it successfully. Next I wanted to fuzz a 

simple http server, which essentially keeps on listening on a particular port for incoming connections.

I am able to check it from a browser (http://localhost:1234). But I am not able to find out how to fuzz the

server using afl.

For servers I much prefer to write a small driver program which skips the accept loop and just passes an input file descriptor to the function that handles a single client.  This isn't always possible, but when it is, it makes it easier for fuzzing and also for reproducing interesting cases.  Sometimes for a server you may want to have buffers come in to the server in the right sized chunks, in which case you can write a small client which reads the input stream up to a delimiter, and writes it to the fd, with a pause between it.  In that case you can fork off a separate child process to pump these messages into a socketpair, for example.  Or better, if your server has an API for pumping messages in, you can just use that API for each message chunk (unfortunately thats not how most servers are written).

 

Tim