1*08b48e0bSAndroid Build Coastguard Worker# Injection fuzzing 2*08b48e0bSAndroid Build Coastguard Worker 3*08b48e0bSAndroid Build Coastguard WorkerCoverage guided fuzzing so far is only able to detect crashes, so usually 4*08b48e0bSAndroid Build Coastguard Workermemory corruption issues, or - if implemented by hand in the harness - 5*08b48e0bSAndroid Build Coastguard Workerinvariants. 6*08b48e0bSAndroid Build Coastguard Worker 7*08b48e0bSAndroid Build Coastguard WorkerThis is a proof-of-concept implementation to additionally hunt for injection 8*08b48e0bSAndroid Build Coastguard Workervulnerabilities. 9*08b48e0bSAndroid Build Coastguard WorkerIt works by instrumenting calls to specific functions and parsing the 10*08b48e0bSAndroid Build Coastguard Workerquery parameter for a specific unescaped dictionary string, and if detected, 11*08b48e0bSAndroid Build Coastguard Workercrashes the target. 12*08b48e0bSAndroid Build Coastguard Worker 13*08b48e0bSAndroid Build Coastguard WorkerThis has a very low false positive rate. 14*08b48e0bSAndroid Build Coastguard WorkerBut obviously this can only find injection vulnerailities that are suspectible 15*08b48e0bSAndroid Build Coastguard Workerto this specific (but most common) issue. Hence in a rare kind of injection 16*08b48e0bSAndroid Build Coastguard Workervulnerability this won't find the bug - and be a false negative. 17*08b48e0bSAndroid Build Coastguard WorkerBut this can be tweaked by the user - see the HOW TO MODIFY section below. 18*08b48e0bSAndroid Build Coastguard Worker 19*08b48e0bSAndroid Build Coastguard Worker## How to use 20*08b48e0bSAndroid Build Coastguard Worker 21*08b48e0bSAndroid Build Coastguard WorkerSet one or more of the following environment variables for **compiling** 22*08b48e0bSAndroid Build Coastguard Workerthe target and - *this is important* - when **fuzzing** the target: 23*08b48e0bSAndroid Build Coastguard Worker 24*08b48e0bSAndroid Build Coastguard Worker - `AFL_LLVM_INJECTIONS_SQL` 25*08b48e0bSAndroid Build Coastguard Worker - `AFL_LLVM_INJECTIONS_LDAP` 26*08b48e0bSAndroid Build Coastguard Worker - `AFL_LLVM_INJECTIONS_XSS` 27*08b48e0bSAndroid Build Coastguard Worker 28*08b48e0bSAndroid Build Coastguard WorkerAlternatively you can set `AFL_LLVM_INJECTIONS_ALL` to enable all. 29*08b48e0bSAndroid Build Coastguard Worker 30*08b48e0bSAndroid Build Coastguard Worker## How to modify 31*08b48e0bSAndroid Build Coastguard Worker 32*08b48e0bSAndroid Build Coastguard WorkerIf you want to add more fuctions to check for e.g. SQL injections: 33*08b48e0bSAndroid Build Coastguard WorkerAdd these to `instrumentation/injection-pass.cc` and recompile. 34*08b48e0bSAndroid Build Coastguard Worker 35*08b48e0bSAndroid Build Coastguard WorkerIf you want to test for more injection inputs: 36*08b48e0bSAndroid Build Coastguard WorkerAdd the dictionary tokens to `src/afl-fuzz.c` and the check for them to 37*08b48e0bSAndroid Build Coastguard Worker`instrumentation/afl-compiler-rt.o.c`. 38*08b48e0bSAndroid Build Coastguard Worker 39*08b48e0bSAndroid Build Coastguard WorkerIf you want to add new injection targets: 40*08b48e0bSAndroid Build Coastguard WorkerYou will have to edit all three files. 41*08b48e0bSAndroid Build Coastguard Worker 42*08b48e0bSAndroid Build Coastguard WorkerJust search for: 43*08b48e0bSAndroid Build Coastguard Worker``` 44*08b48e0bSAndroid Build Coastguard Worker// Marker: ADD_TO_INJECTIONS 45*08b48e0bSAndroid Build Coastguard Worker``` 46*08b48e0bSAndroid Build Coastguard Workerin the files to see where this needs to be added. 47*08b48e0bSAndroid Build Coastguard Worker 48*08b48e0bSAndroid Build Coastguard Worker**NOTE:** pull requests to improve this feature are highly welcome :-) 49