c0nrad/http2fuzz c0nrad/http2fuzz

  • Stars
    star
    175
  • Rank 213,803 (Top 5 %)
  • Language
    Go
  • License
    BSD 3-Clause "New...
  • Created over 8 years ago
  • Updated about 8 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
c0nrad/http2fuzz
github

c0nrad

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

HTTP/2 fuzzer written in Golang

http2fuzz (No longer under development)

HTTP2 fuzzer built in Golang.

Fuzzer

Usage

$ make build
$ ./http2fuzz --help
Usage of ./http2fuzz:
     -fuzz-delay=100: number of milliseconds to wait between each request per strategy
     -listen="0.0.0.0": interface to listen from
     -port="8000": port to listen from
     -restart-delay=10: number a milliseconds to wait between broken connections
     -target="": HTTP2 server to fuzz in host:port format
$ ./http2fuzz --target "localhost:443"

Description

http2fuzz is a semi-intelligent fuzzer. It knows how to build valid http2 frames of each type (Pings/Data/Settings etc).

While it's subject to change, the core idea will be the same. The code instantiates 'fuzzer' objects. These fuzzer objects each control one TLS connection, and each fuzzer kicks off a couple of fuzzing strategies.

For example, one of the fuzzer kicks off three different strategies: PriorityFuzzer, PingFuzzer, and HeaderFuzzer. So on the single TLS connection, we are sending a bunch of Priority/Ping/Header frames with garbage values. If at anytime the TLS connection goes does, the connection is restablished.

Strategies

SettingsFuzzer:

  • Picks a random number between 0-5
  • Appends that many random settings with random values to a SettingsFrame

HeaderFuzzer:

  • Picks a random number between 0-5
  • Appends that many random HTTP headers with random values to a HeadersFrame

PriorityFuzzer:

  • Sends Priority frames with a random streamDependency, steamId, weight, and exclusive value

PingFuzzer:

  • Sends a ping frame with a random 8 byte payload

ResetFuzzer:

  • Sends a RST Frame with a random streamId and errorCode

WindowUpdateFuzzer:

  • Sends a Window Update Frame with a random streamId, and incr value.

RawFrameFuzzer:

  • Generates a random frameType (0-12), randomFlags (0-256), and streamId(2**31), and a random byte array of length 0-10000.
  • Sends the invalid frame

DataFuzzer:

  • Sends a Data Frame with a random streamId, endStream bool, and random payload between 0-10000 bytes

PushPromiseFuzzer:

  • Sends a PushPromise Frame with a random payload of 0-10000 bytes, streamId, promiseId, endHeaders bool, and padlengnth (0-256)

ContinuationFuzzer:

  • Sends a Continuation Frame with a random streamId, endStream bool and payload of length 0-10000 bytes.

RawTCPFuzzer:

  • Establishes a TLS connection, and sends complete garbage to it. The payload is a byte array of length 0-10000.

Fuzzers

Each fuzzer is built from strategies. Currently the fuzzers are:

Fuzzer 1:

  • RawFrameFuzzer

Fuzzer 2:

  • PriorityFuzzer
  • PingFuzzer
  • HeaderFuzzer

Fuzzer 3:

  • PriorityFuzzer
  • PingFuzzer
  • HeaderFuzzer
  • WindowUpdateFuzzer

Fuzzer 4:

  • PriorityFuzzer
  • PingFuzzer
  • HeaderFuzzer
  • ResetFuzzer

Fuzzer 5:

  • SettingsFuzzer
  • HeaderFuzzer

Fuzzer 6:

  • DataFuzzer
  • HeaderFuzzer

Fuzzer 7:

  • ContinuationFuzzer
  • HeaderFuzzer

Fuzzer 8:

  • PushPromiseFuzzer
  • HeaderFuzzer

Fuzzer 9:

  • RawTCPFuzzer

Fuzzer 10:

  • RawTCPFuzzer (without clientpreface)

Code Layout

http2fuzz/
    certs/     Holds localhost certifcates for fuzzing as an http2 server
    docs/      Holds documents and pictures
    fuzzer/    Holds the actual fuzzing code for client/server, along with an http2 connection wrapper class
    replay/    Holds code for replaying packets from a json file
    util/      Holds common utility functions

fuzzer/connection.go conatins the Connection struct. This structure sits on top of the actual TLS/TCP connection. It defines a number of methods for sending HTTP2 frames on this connection. Also handles the HPACK encoding/decoding.

fuzzer/fuzzer.go contains all the fuzzing strategies.

Replay Mode

The code recently got refactored and it hasen't been refactoed back in, and it only works with raw frames fuzzer, for testing with single frames, a script like this works:

package main

import (
    "io"
    "net"

    "github.com/bradfitz/http2"
    "github.com/c0nrad/http2fuzz/util"
)

func main() {
    var Target = "localhost:80"

    conn := Dial(Target)
    io.WriteString(conn, http2.ClientPreface)

    framer := http2.NewFramer(conn, conn)

    // FrameType, Flag, StreamId, Payload
    framer.WriteRawFrame(http2.FrameType(10), http2.Flags(16), 481004859, util.FromBase64("dZfden+U2nU/Y5uUsM3iz2XwAboFueI/xyR2"))
}

func Dial(host string) net.Conn {
    conn, err := net.Dial("tcp", host)
    if err != nil {
        panic(err)
    }
    return conn
}

Contact

[email protected]

Copyright

Copyright 2015 Yahoo Inc. Licensed under the BSD license, see LICENSE file for terms. Written by Stuart Larsen

More Repositories

1

caspr

Content-Security-Policy report aggregator/analyzer
JavaScript
54
star
2

enforcer

Chrome extension for setting CSP
JavaScript
11
star
3

go-mbf

MongoDB Login Brute Forcer
Go
10
star
4

meowPi

A meower for the Raspberry PI
Python
10
star
5

go-scram-sha1

SCRAM-SHA1 implementation in Go
Go
10
star
6

pr0n

The game of flying rainbow peni.
Go
10
star
7

qrad

Quantum Computation Simulator
Go
8
star
8

tetris

Tetris in go
Go
8
star
9

sngglr

Dating website
JavaScript
7
star
10

hydrogen

Interactive model of electron wavefunctions for Hydrogen
C++
7
star
11

xfuzz

Chrome extension for fuzzing query strings
JavaScript
5
star
12

mongobucks

Magical MongoDB Money
Go
4
star
13

redifuzz

Go
3
star
14

SticksSolution

The solution to a game of sticks
Python
3
star
15

csp-endpoint

Simple collection endpoint for CSP violation reports
JavaScript
3
star
16

hmon

Header Monitor
HTML
2
star
17

HOLIDE

An Integrated Development Environment for the Higher Order Logic Theorem Prover
C++
2
star
18

byatr

Go
2
star
19

darkchess

Chess with fog of war
Java
2
star
20

csim

Numerical Analysis in Go
Go
2
star
21

mulbrute

Quantum Circuit Brute Forcer
Python
2
star
22

ctfwriteups.org

Code for ctfwriteups.org
Go
2
star
23

feynman

Eventually a feynman diagram validator
TypeScript
1
star
24

shitcoin

One coin to rule them all
Go
1
star
25

spider

chrome extension spider
JavaScript
1
star
26

geochat

Global anonymous chatting
JavaScript
1
star
27

gff

Global File Finder, recursively finds all globally writable files
Go
1
star
28

thermoshat

Python
1
star
29

c0nradsc0rner

Mah website! From a year ago. Django
JavaScript
1
star
30

impersonatr

Simple session switching chrome application
JavaScript
1
star
31

h4xchat

Secure symmetric key terminal based chatting client/server in go
Go
1
star
32

wilfred

Python
1
star
33

ccf

Cyber Career Fair, MEAN
JavaScript
1
star
34

sylvia

Sylvia Plath as Artificial Intelligence
JavaScript
1
star
35

invaders

Terminal based space invaders
Go
1
star
36

shig

Shitty Dig
Go
1
star
37

debug

useful python debugging functions
Python
1
star
38

printiverse

Open marketplace for requesting/printing 3D printed parts
JavaScript
1
star
39

lollersnap

Snapchat meets 9gag.
JavaScript
1
star
40

qc.js

Quantum Computing simulations
TypeScript
1
star
41

pinterest-hover-title

Some code for getting pinterest and wordpress to play nicely.
JavaScript
1
star
42

oshe

Open Source Hardware Enterprise Website
JavaScript
1
star