├── .travis.yml
├── Contributing.md
├── LICENSE
├── README.md
└── README_ch.md
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: ruby
2 | rvm:
3 | - 2.2
4 | before_script:
5 | - gem install awesome_bot
6 | script:
7 | - awesome_bot README.md --allow-dupe --white-list travis-ci
8 |
--------------------------------------------------------------------------------
/Contributing.md:
--------------------------------------------------------------------------------
1 | # Contribution Guidelines
2 |
3 | Please ensure your pull request follow to the below guidelines:
4 |
5 | - Please make sure your suggestion is not duplicate.
6 | - Do a pull request for suggestion by providing a Link and Description.
7 | - Feel free to suggeset new categories and/or improvements to the existing one.
8 |
9 | Appreciate your contributions and thank you for the suggestions!
10 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | CC0 1.0 Universal
2 |
3 | Statement of Purpose
4 |
5 | The laws of most jurisdictions throughout the world automatically confer
6 | exclusive Copyright and Related Rights (defined below) upon the creator and
7 | subsequent owner(s) (each and all, an "owner") of an original work of
8 | authorship and/or a database (each, a "Work").
9 |
10 | Certain owners wish to permanently relinquish those rights to a Work for the
11 | purpose of contributing to a commons of creative, cultural and scientific
12 | works ("Commons") that the public can reliably and without fear of later
13 | claims of infringement build upon, modify, incorporate in other works, reuse
14 | and redistribute as freely as possible in any form whatsoever and for any
15 | purposes, including without limitation commercial purposes. These owners may
16 | contribute to the Commons to promote the ideal of a free culture and the
17 | further production of creative, cultural and scientific works, or to gain
18 | reputation or greater distribution for their Work in part through the use and
19 | efforts of others.
20 |
21 | For these and/or other purposes and motivations, and without any expectation
22 | of additional consideration or compensation, the person associating CC0 with a
23 | Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
24 | and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
25 | and publicly distribute the Work under its terms, with knowledge of his or her
26 | Copyright and Related Rights in the Work and the meaning and intended legal
27 | effect of CC0 on those rights.
28 |
29 | 1. Copyright and Related Rights. A Work made available under CC0 may be
30 | protected by copyright and related or neighboring rights ("Copyright and
31 | Related Rights"). Copyright and Related Rights include, but are not limited
32 | to, the following:
33 |
34 | i. the right to reproduce, adapt, distribute, perform, display, communicate,
35 | and translate a Work;
36 |
37 | ii. moral rights retained by the original author(s) and/or performer(s);
38 |
39 | iii. publicity and privacy rights pertaining to a person's image or likeness
40 | depicted in a Work;
41 |
42 | iv. rights protecting against unfair competition in regards to a Work,
43 | subject to the limitations in paragraph 4(a), below;
44 |
45 | v. rights protecting the extraction, dissemination, use and reuse of data in
46 | a Work;
47 |
48 | vi. database rights (such as those arising under Directive 96/9/EC of the
49 | European Parliament and of the Council of 11 March 1996 on the legal
50 | protection of databases, and under any national implementation thereof,
51 | including any amended or successor version of such directive); and
52 |
53 | vii. other similar, equivalent or corresponding rights throughout the world
54 | based on applicable law or treaty, and any national implementations thereof.
55 |
56 | 2. Waiver. To the greatest extent permitted by, but not in contravention of,
57 | applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
58 | unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
59 | and Related Rights and associated claims and causes of action, whether now
60 | known or unknown (including existing as well as future claims and causes of
61 | action), in the Work (i) in all territories worldwide, (ii) for the maximum
62 | duration provided by applicable law or treaty (including future time
63 | extensions), (iii) in any current or future medium and for any number of
64 | copies, and (iv) for any purpose whatsoever, including without limitation
65 | commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
66 | the Waiver for the benefit of each member of the public at large and to the
67 | detriment of Affirmer's heirs and successors, fully intending that such Waiver
68 | shall not be subject to revocation, rescission, cancellation, termination, or
69 | any other legal or equitable action to disrupt the quiet enjoyment of the Work
70 | by the public as contemplated by Affirmer's express Statement of Purpose.
71 |
72 | 3. Public License Fallback. Should any part of the Waiver for any reason be
73 | judged legally invalid or ineffective under applicable law, then the Waiver
74 | shall be preserved to the maximum extent permitted taking into account
75 | Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
76 | is so judged Affirmer hereby grants to each affected person a royalty-free,
77 | non transferable, non sublicensable, non exclusive, irrevocable and
78 | unconditional license to exercise Affirmer's Copyright and Related Rights in
79 | the Work (i) in all territories worldwide, (ii) for the maximum duration
80 | provided by applicable law or treaty (including future time extensions), (iii)
81 | in any current or future medium and for any number of copies, and (iv) for any
82 | purpose whatsoever, including without limitation commercial, advertising or
83 | promotional purposes (the "License"). The License shall be deemed effective as
84 | of the date CC0 was applied by Affirmer to the Work. Should any part of the
85 | License for any reason be judged legally invalid or ineffective under
86 | applicable law, such partial invalidity or ineffectiveness shall not
87 | invalidate the remainder of the License, and in such case Affirmer hereby
88 | affirms that he or she will not (i) exercise any of his or her remaining
89 | Copyright and Related Rights in the Work or (ii) assert any associated claims
90 | and causes of action with respect to the Work, in either case contrary to
91 | Affirmer's express Statement of Purpose.
92 |
93 | 4. Limitations and Disclaimers.
94 |
95 | a. No trademark or patent rights held by Affirmer are waived, abandoned,
96 | surrendered, licensed or otherwise affected by this document.
97 |
98 | b. Affirmer offers the Work as-is and makes no representations or warranties
99 | of any kind concerning the Work, express, implied, statutory or otherwise,
100 | including without limitation warranties of title, merchantability, fitness
101 | for a particular purpose, non infringement, or the absence of latent or
102 | other defects, accuracy, or the present or absence of errors, whether or not
103 | discoverable, all to the greatest extent permissible under applicable law.
104 |
105 | c. Affirmer disclaims responsibility for clearing rights of other persons
106 | that may apply to the Work or any use thereof, including without limitation
107 | any person's Copyright and Related Rights in the Work. Further, Affirmer
108 | disclaims responsibility for obtaining any necessary consents, permissions
109 | or other rights required for any use of the Work.
110 |
111 | d. Affirmer understands and acknowledges that Creative Commons is not a
112 | party to this document and has no duty or obligation with respect to this
113 | CC0 or use of the Work.
114 |
115 | For more information, please see
116 |
117 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Welcome to Awesome Fuzzing [](https://github.com/sindresorhus/awesome)
2 | ===================
3 |
4 | A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.
5 |
6 | ### Contents
7 | - [Books](#books)
8 | - [Courses](#courses)
9 | + [Free](#free)
10 | + [Paid](#paid)
11 | - [Videos](#videos)
12 | + [NYU Poly Course videos](#nyu-poly-course-videos)
13 | + [Conference talks and tutorials](#conference-talks-and-tutorials)
14 | - [Tutorials and Blogs](#tutorials-and-blogs)
15 | - [Tools](#tools)
16 | + [Cloud Fuzzers](#cloud-fuzzers)
17 | + [File Format Fuzzers](#file-format-fuzzers)
18 | + [Network Protocol Fuzzers](#network-protocol-fuzzers)
19 | + [Browser Fuzzing](#browser-fuzzing)
20 | + [Taint Analysis](#taint-analysis)
21 | + [Symbolic Execution SAT and SMT Solvers](#symbolic-execution-sat-and-smt-solvers)
22 | + [Essential Tools](#essential-tools)
23 | - [Vulnerable Applications](#vulnerable-applications)
24 | - [Anti-Fuzzing](#anti-fuzzing)
25 | - [Directed-Fuzzing](#directed-fuzzing)
26 | - [Contributing](#contributing)
27 |
28 |
29 | # Awesome Fuzzing Resources
30 |
31 | ## Books
32 |
33 | *Books on fuzzing*
34 | - [Fuzzing: Brute Force Vulnerability Discovery](https://www.amazon.com/Fuzzing-Brute-Force-Vulnerability-Discovery/dp/0321446119) by Michael Sutton, Adam Greene, Pedram Amini.
35 |
36 | - [Fuzzing for Software Security Testing and Quality Assurance ](https://www.amazon.com/Fuzzing-Software-Security-Testing-Assurance/dp/1608078507) by Ari Takanen, Charles Miller, Jared D Demott and Atte Kettunen.
37 |
38 | - [Open Source Fuzzing Tools](https://www.amazon.com/Open-Source-Fuzzing-Tools-Rathaus/dp/1597491950) by by Gadi Evron and Noam Rathaus.
39 |
40 | - [Gray Hat Python](https://www.amazon.com/Gray-Hat-Python-Programming-Engineers/dp/1593271921) by Justin Seitz.
41 |
42 | - [The Fuzzing Book](https://www.fuzzingbook.org/) by Andreas Zeller, Rahul Gopinath, Marcel Böhme, Gordon Fraser, and Christian Holler.
43 |
44 |
45 | > **Note:** Chapter(s) in the following books are dedicated to fuzzing.
46 |
47 | > - [The Shellcoder's Handbook: Discovering and Exploiting Security Holes ( Chapter 15 )](https://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X) by Chris Anley, Dave Aitel, David Litchfield and others.
48 |
49 | > - [iOS Hacker's Handbook - Chapter 1](https://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123) Charles Miller, Dino DaiZovi, Dion Blazakis, Ralf-Philip Weinmann, and Stefan Esser.
50 |
51 | > - [IDA Pro - The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler](https://www.amazon.com/IDA-Pro-Book-2nd-ebook/dp/B005EI84TM)
52 |
53 |
54 | ## Courses
55 |
56 | *Courses/Training videos on fuzzing*
57 |
58 |
59 | ### Free
60 |
61 | [NYU Poly ( see videos for more )](https://vimeo.com/5236104 ) - Made available freely by Dan Guido.
62 |
63 | [Samclass.info ( check projects section and chapter 17 ) ](https://samsclass.info/127/127_F15.shtml) - by Sam.
64 |
65 | [Modern Binary Exploitation ( RPISEC ) - Chapter 15 ](https://github.com/RPISEC/MBE) - by RPISEC.
66 |
67 | [Offensive Computer Security - Week 6](https://web.archive.org/web/20200414165953/https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html) - by W. Owen Redwood and Prof. Xiuwen Liu.
68 |
69 | ### Paid
70 |
71 | [Offensive Security, Cracking The Perimeter ( CTP ) and Advanced Windows Exploitation ( AWE )](https://www.offensive-security.com/information-security-training/)
72 |
73 | [SANS 660/760 Advanced Exploit Development for Penetration Testers](https://www.sans.org/course/advanced-exploit-development-penetration-testers)
74 |
75 | [Exodus Intelligence - Vulnerability development master class](https://blog.exodusintel.com/2016/05/18/exodus-intelligence-2016-training-course/)
76 |
77 | [Ada Logics - Applied Source Code Fuzzing](https://adalogics.com/training-source-fuzz)
78 |
79 | [FuzzingLabs Academy (C/C++, Rust, Go fuzzing)](https://academy.fuzzinglabs.com/)
80 |
81 | [Signal Labs - Vulnerability Research & Fuzzing](https://signal-labs.com/trainings/vulnerability-research-fuzzing/)
82 |
83 | ## Videos
84 |
85 | *Videos talking about fuzzing techniques, tools and best practices*
86 |
87 |
88 | ### NYU Poly Course videos
89 | [Fuzzing 101 (Part 1)](https://vimeo.com/5236104) - by Mike Zusman.
90 |
91 | [Fuzzing 101 (Part 2)](https://vimeo.com/5237484) - by Mike Zusman.
92 |
93 | [Fuzzing 101 (2009)](https://vimeo.com/7574602) - by Mike Zusman.
94 |
95 | [Fuzzing - Software Security Course on Coursera](https://www.coursera.org/lecture/software-security/fuzzing-VgyOn) - by University of Maryland.
96 |
97 | ### Conference talks and tutorials
98 |
99 | [Attacking Antivirus Software's Kernel Driver](https://github.com/bee13oy/AV_Kernel_Vulns/tree/master/Zer0Con2017)
100 |
101 | [Fuzzing the Windows Kernel - OffensiveCon 2020](https://github.com/yoava333/presentations/blob/master/Fuzzing%20the%20Windows%20Kernel%20-%20OffensiveCon%202020.pdf)
102 |
103 | [Youtube Playlist of various fuzzing talks and presentations ](https://www.youtube.com/playlist?list=PLtPrYlwXDImiO_hzK7npBi4eKQQBgygLD) - Lots of good content in these videos.
104 |
105 | [Browser bug hunting - Memoirs of a last man standing](https://vimeo.com/109380793) - by Atte Kettunen
106 |
107 | [Coverage-based Greybox Fuzzing as Markov Chain](https://www.comp.nus.edu.sg/~mboehme/paper/CCS16.pdf)
108 |
109 | [DerbyCon 2016: Fuzzing basics...or how to break software](http://www.irongeek.com/i.php?page=videos/derbycon6/411-fuzzing-basicshow-to-break-software-grid-aka-scott-m)
110 |
111 | [Fuzz Theory](https://www.youtube.com/watch?v=5rE8xEg5tXk&list=PLSkhUfcCXvqG6FRTCCxIfoMK6rw3NZvb6) - by Brandon Falk
112 |
113 |
114 | ## Tutorials and Blogs
115 |
116 | *Tutorials and blogs which explain methodology, techniques and best practices of fuzzing*
117 |
118 | [ARMored CoreSight: Towards Efficient Binary-only Fuzzing](https://ricercasecurity.blogspot.com/2021/11/armored-coresight-towards-efficient.html)
119 |
120 | [Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology](https://thalium.github.io/blog/posts/fuzzing-microsoft-rdp-client-using-virtual-channels/)
121 |
122 | [Fuzzing Closed Source PDF Viewers](https://www.gosecure.net/blog/2019/07/30/fuzzing-closed-source-pdf-viewers/)
123 |
124 | [Fuzzing Image Parsing in Windows, Part One: Color Profiles](https://www.mandiant.com/resources/fuzzing-image-parsing-in-windows-color-profiles)
125 |
126 | [Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory](https://www.mandiant.com/resources/fuzzing-image-parsing-in-windows-uninitialized-memory)
127 |
128 | [Fuzzing Image Parsing in Windows, Part Three: RAW and HEIF](https://www.mandiant.com/resources/fuzzing-image-parsing-three)
129 |
130 | [Fuzzing the Office Ecosystem](https://research.checkpoint.com/2021/fuzzing-the-office-ecosystem/)
131 |
132 | [Effective File Format Fuzzing](https://j00ru.vexillium.org/slides/2016/blackhat.pdf) - Mateusz “j00ru” Jurczyk @ Black Hat Europe 2016, London
133 |
134 | [A year of Windows kernel font fuzzing Part-1 the results](https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html) - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.
135 |
136 | [A year of Windows kernel font fuzzing Part-2 the techniques](https://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html) - Amazing article by Google's Project Zero, describing what it takes to do fuzzing and create fuzzers.
137 |
138 | [Interesting bugs and resources at fuzzing project](https://blog.fuzzing-project.org/) - by fuzzing-project.org.
139 |
140 | [Fuzzing workflows; a fuzz job from start to finish](https://foxglovesecurity.com/2016/03/15/fuzzing-workflows-a-fuzz-job-from-start-to-finish/) - by @BrandonPrry.
141 |
142 | [A gentle introduction to fuzzing C++ code with AFL and libFuzzer](http://jefftrull.github.io/c++/clang/llvm/fuzzing/sanitizer/2015/11/27/fuzzing-with-sanitizers.html) - by Jeff Trull.
143 |
144 | [A 15 minute introduction to fuzzing](https://web.archive.org/web/20161129095601/https://www.mwrinfosecurity.com/our-thinking/15-minute-guide-to-fuzzing/) - by folks at MWR Security.
145 |
146 | > **Note:** Folks at fuzzing.info has done a great job of collecting some awesome links, I'm not going to duplicate their work. I will add papers missed by them and from 2015 and 2016.
147 | [Fuzzing Papers](https://fuzzinginfo.wordpress.com/papers/) - by fuzzing.info
148 |
149 | [Fuzzing Blogs and Books](https://fuzzinginfo.wordpress.com/resources/) - by fuzzing.info
150 |
151 | [Root Cause Analysis of the Crash during Fuzzing](
152 | https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/) - by Corelan Team.
153 |
154 | [Root cause analysis of integer flow](https://www.corelan.be/index.php/2013/07/02/root-cause-analysis-integer-overflows/) - by Corelan Team.
155 |
156 | [Creating custom peach fuzzer publishers](http://blog.opensecurityresearch.com/2014/01/creating-custom-peach-fuzzer-publishers.html) - by Open Security Research
157 |
158 | [7 Things to Consider Before Fuzzing a Large Open Source Project](https://www.linux.com/news/7-things-consider-fuzzing-large-open-source-project/) - by Emily Ratliff.
159 |
160 |
161 | ##### From Fuzzing to Exploit:
162 | [From fuzzing to 0-day](https://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/) - by Harold Rodriguez(@superkojiman).
163 |
164 | [From crash to exploit](https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/) - by Corelan Team.
165 |
166 | ##### Peach Fuzzer related tutorials
167 |
168 | [Peach Fuzzer Introductionh](https://peachtech.gitlab.io/peach-fuzzer-community/Introduction.html)
169 |
170 | [Fuzzing with Peach Part 1](http://www.flinkd.org/fuzzing-with-peach-part-1/) - by Jason Kratzer of corelan team
171 |
172 | [Fuzzing with Peach Part 2](http://www.flinkd.org/fuzzing-with-peach-part-2-fixups-2/) - by Jason Kratzer of corelan team.
173 |
174 | [Auto generation of Peach pit files/fuzzers](http://web.archive.org/web/20181003092741/http://doc.netzob.org/en/latest/tutorials/peach.html) - by Frédéric Guihéry, Georges Bossert.
175 |
176 | ##### AFL Fuzzer related tutorials
177 |
178 | [Creating a fuzzing harness for FoxitReader 9.7 ConvertToPDF Function](https://www.signal-labs.com/blog/foxit-97-fuzz)
179 |
180 | [50 CVEs in 50 Days: Fuzzing Adobe Reader](https://research.checkpoint.com/2018/50-adobe-cves-in-50-days/)
181 |
182 | [Fuzzing sockets, part 1: FTP servers](https://securitylab.github.com/research/fuzzing-sockets-FTP)
183 |
184 | [Fuzzing software: common challenges and potential solutions (Part 1) ](https://securitylab.github.com/research/fuzzing-challenges-solutions-1)
185 |
186 | [Fuzzing software: advanced tricks (Part 2)](https://securitylab.github.com/research/fuzzing-software-2)
187 |
188 | [Fuzzing workflows; a fuzz job from start to finish](https://foxglovesecurity.com/2016/03/15/fuzzing-workflows-a-fuzz-job-from-start-to-finish/) - by @BrandonPrry.
189 |
190 | [Fuzzing capstone using AFL persistent mode](https://toastedcornflakes.github.io/articles/fuzzing_capstone_with_afl.html) - by @toasted_flakes
191 |
192 | [RAM disks and saving your SSD from AFL Fuzzing](http://cipherdyne.org/blog/2014/12/ram-disks-and-saving-your-ssd-from-afl-fuzzing.html)
193 |
194 | [Bug Hunting with American Fuzzy Lop](https://josephg.com/blog/bug-hunting-with-american-fuzzy-lop/)
195 |
196 | [Advanced usage of American Fuzzy Lop with real world examples](https://volatileminds.net/2015/07/01/advanced-afl-usage.html)
197 |
198 | [Segfaulting Python with afl-fuzz](https://tomforb.es/segfaulting-python-with-afl-fuzz)
199 |
200 | [Fuzzing With AFL-Fuzz, a Practical Example ( AFL vs Binutils )](https://www.evilsocket.net/2015/04/30/Fuzzing-with-AFL-Fuzz-a-Practical-Example-AFL-vs-binutils/)
201 |
202 | [The Importance of Fuzzing...Emulators?](https://mgba.io/2016/09/13/fuzzing-emulators/)
203 |
204 | [How Heartbleed could've been found](https://blog.hboeck.de/archives/868-How-Heartbleed-couldve-been-found.html)
205 |
206 | [Filesystem Fuzzing with American Fuzzy lop](https://events.static.linuxfound.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf)
207 |
208 | [Fuzzing Perl/XS modules with AFL](https://medium.com/@dgryski/fuzzing-perl-xs-modules-with-afl-4bfc2335dd90)
209 |
210 | [How to fuzz a server with American Fuzzy Lop](https://www.fastly.com/blog/how-fuzz-server-american-fuzzy-lop) - by Jonathan Foote
211 |
212 | [Fuzzing with AFL Workshop - a set of challenges on real vulnerabilities](https://github.com/ThalesIgnite/afl-training)
213 |
214 | [Fuzzing 101 - PHDays](https://github.com/RootUp/PHDays9)
215 |
216 | ##### libFuzzer Fuzzer related tutorials
217 |
218 | [libFuzzer Tutorial](https://github.com/google/fuzzing/blob/master/tutorial/libFuzzerTutorial.md)
219 |
220 | [Hunting for bugs in VirtualBox (First Take)](http://blog.paulch.ru/2020-07-26-hunting-for-bugs-in-virtualbox-first-take.html)
221 |
222 | [libFuzzer Workshop: "Modern fuzzing of C/C++ Projects"](https://github.com/Dor1s/libfuzzer-workshop)
223 |
224 | ##### honggfuzz related tutorials
225 |
226 | [Fuzzing ImageIO](https://googleprojectzero.blogspot.com/2020/04/fuzzing-imageio.html)
227 |
228 | [Double-Free RCE in VLC. A honggfuzz how-to](https://www.pentestpartners.com/security-blog/double-free-rce-in-vlc-a-honggfuzz-how-to/)
229 |
230 | ##### Spike Fuzzer related tutorials
231 |
232 | [Fuzzing with Spike to find overflows](https://null-byte.wonderhowto.com/how-to/hack-like-pro-build-your-own-exploits-part-3-fuzzing-with-spike-find-overflows-0162789/)
233 |
234 | [Fuzzing with Spike](https://samsclass.info/127/proj/p18-spike.htm) - by samclass.info
235 |
236 |
237 | ##### FOE Fuzzer related tutorials
238 |
239 | [Fuzzing with FOE](https://samsclass.info/127/proj/p16-fuzz.htm) - by Samclass.info
240 |
241 |
242 | ##### SMT/SAT solver tutorials
243 |
244 | [Z3 - A guide](https://www.philipzucker.com/z3-rise4fun/guide.html) - Getting Started with Z3: A Guide
245 |
246 | ##### Building a Feedback Fuzzer (for educational purposes)
247 |
248 | [Building A Feedback Fuzzer](https://blog.fadyothman.com/tag/myfuzzer/) - by @fady_othman
249 |
250 | ## Tools
251 |
252 | *Tools which helps in fuzzing applications*
253 |
254 | ### Cloud Fuzzers
255 |
256 | *Fuzzers which help fuzzing in cloud environments.*
257 |
258 | [Cloudfuzzer](https://github.com/ouspg/cloudfuzzer) - Cloud fuzzing framework which makes it possible to easily run automated fuzz-testing in cloud environments.
259 |
260 | [ClusterFuzzer](https://google.github.io/clusterfuzz/) - ClusterFuzzer, scalable open source fuzzing infrastructure. It is used by Google for fuzzing Chrome Browser.
261 |
262 | [Fuzzit](https://fuzzit.dev) - Fuzzit, Continuous fuzzing as a service platform. Free for open source. used by various open-source projects (systemd, radare2) and close-source projects. To join oss program drop a line at oss@fuzzit.dev
263 |
264 | ### File Format Fuzzers
265 |
266 | *Fuzzers which helps in fuzzing file formats like pdf, mp3, swf etc.,*
267 |
268 | [Jackalope](https://github.com/googleprojectzero/Jackalope)
269 |
270 | [Rehepapp](https://github.com/FoxHex0ne/Rehepapp)
271 |
272 | [Newer version of Rehepapp](https://github.com/FoxHex0ne/Rehepapp)
273 |
274 | [pe-afl combines static binary instrumentation on PE binary and WinAFL](https://github.com/wmliang/pe-afl)
275 |
276 | [MiniFuzz - Wayback Machine link](https://web.archive.org/web/20140512203517/http://download.microsoft.com/download/D/6/E/D6EDC908-A1D7-4790-AB0B-66A8B35CD931/MiniFuzzSetup.msi) - Basic file format fuzzing tool by Microsoft. (No longer available on Microsoft website).
277 |
278 | [BFF from CERT](https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=507974) - Basic Fuzzing Framework for file formats.
279 |
280 | [AFL Fuzzer (Linux only)]( http://lcamtuf.coredump.cx/afl/) - American Fuzzy Lop Fuzzer by Michal Zalewski aka lcamtuf
281 |
282 | [Win AFL](https://github.com/googleprojectzero/winafl) - A fork of AFL for fuzzing Windows binaries
283 |
284 | [Shellphish Fuzzer](https://github.com/shellphish/fuzzer) - A Python interface to AFL, allowing for easy injection of testcases and other functionality.
285 |
286 | [TriforceAFL](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/project-triforce-run-afl-on-everything/) - A modified version of AFL that supports fuzzing for applications whose source code not available.
287 |
288 | [AFLGo](https://github.com/aflgo/aflgo) - Directed Greybox Fuzzing with AFL, to fuzz targeted locations of a program.
289 |
290 | [Peach Fuzzer](https://sourceforge.net/projects/peachfuzz/) - Framework which helps to create custom dumb and smart fuzzers.
291 |
292 | [MozPeach](https://github.com/MozillaSecurity/peach) - A fork of peach 2.7 by Mozilla Security.
293 |
294 | [Failure Observation Engine (FOE)](https://vuls.cert.org/confluence/display/tools/CERT+FOE+-+Failure+Observation+Engine) - mutational file-based fuzz testing tool for windows applications.
295 |
296 | [rmadair](http://rmadair.github.io/fuzzer/) - mutation based file fuzzer that uses PyDBG to monitor for signals of interest.
297 |
298 | [honggfuzz](https://github.com/google/honggfuzz) - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage. Supports GNU/Linux, FreeBSD, Mac OSX and Android.
299 |
300 | [zzuf](https://github.com/samhocevar/zzuf) - A transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program's input.
301 |
302 | [radamsa](https://github.com/aoh/radamsa) - A general purpose fuzzer and test case generator.
303 |
304 | [binspector](https://github.com/binspector/binspector) - A binary format analysis and fuzzing tool
305 |
306 | [grammarinator](https://github.com/renatahodovan/grammarinator) - Fuzzing tool for file formats based on ANTLR v4 grammars (lots of grammars already available from the ANTLR project).
307 |
308 | [Sloth](https://github.com/ant4g0nist/sloth) - Sloth 🦥 is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation.
309 |
310 | [ManuFuzzer](https://github.com/ant4g0nist/ManuFuzzer) - Binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM.
311 |
312 |
313 | ### Network Protocol Fuzzers
314 |
315 | *Fuzzers which helps in fuzzing applications which use network based protocals like HTTP, SSH, SMTP etc.,*
316 |
317 | [Peach Fuzzer](https://sourceforge.net/projects/peachfuzz/) - Framework which helps to create custom dumb and smart fuzzers.
318 |
319 | [Sulley](https://github.com/OpenRCE/sulley) - A fuzzer development and fuzz testing framework consisting of multiple extensible components by Pedram Amini.
320 |
321 | [boofuzz](https://github.com/jtpereyda/boofuzz) - A fork and successor of Sulley framework.
322 |
323 | [Spike](http://www.immunitysec.com/downloads/SPIKE2.9.tgz) - A fuzzer development framework like sulley, a predecessor of sulley.
324 |
325 | [Metasploit Framework](https://github.com/rapid7/metasploit-framework) - A framework which contains some fuzzing capabilities via Auxiliary modules.
326 |
327 | [Nightmare](https://github.com/joxeankoret/nightmare) - A distributed fuzzing testing suite with web administration, supports fuzzing using network protocols.
328 |
329 | [rage_fuzzer](https://github.com/deanjerkovich/rage_fuzzer) - A dumb protocol-unaware packet fuzzer/replayer.
330 |
331 | [Fuzzotron](https://github.com/denandz/fuzzotron) - A simple network fuzzer supporting TCP, UDP and multithreading.
332 |
333 | [Mutiny](https://github.com/Cisco-Talos/mutiny-fuzzer) - The Mutiny Fuzzing Framework is a network fuzzer that operates by replaying PCAPs through a mutational fuzzer.
334 |
335 | [Fuzzing For Worms](https://github.com/dobin/ffw) - A fuzzing framework for network servers.
336 |
337 | [AFL (w/ networking patch)](https://github.com/jdbirdwell/afl) - An unofficial american fuzzy lop capable of network fuzzing.
338 |
339 | [AFLNet](https://github.com/aflnet/aflnet) - A Greybox Fuzzer for Network Protocols (an extention of AFL).
340 |
341 | [Pulsar](https://github.com/hgascon/pulsar) - Protocol Learning, Simulation and Stateful Fuzzer.
342 |
343 | ### Browser Fuzzing
344 | [BFuzz](https://github.com/RootUp/BFuzz) - An input based, browser fuzzing framework.
345 | [Fuzzinator](https://github.com/renatahodovan/fuzzinator) - Fuzzinator Random Testing Framework
346 | [Grizzly](https://github.com/MozillaSecurity/grizzly) - A cross-platform browser fuzzing framework
347 |
348 |
349 | ### Misc
350 | *Other notable fuzzers like Kernel Fuzzers, general purpose fuzzer etc.,*
351 |
352 | [Choronzon](https://github.com/CENSUS/choronzon) - An evolutionary knowledge-based fuzzer
353 |
354 | [QuickFuzz](https://github.com/CIFASIS/QuickFuzz) - A tool written in Haskell designed for testing un-expected inputs of common file formats on third-party software, taking advantage of off-the-shelf, well known fuzzers.
355 |
356 | [gramfuzz](https://github.com/d0c-s4vage/gramfuzz) - A grammar-based fuzzer that lets one define complex grammars to model text and binary data formats
357 |
358 | [KernelFuzzer](https://github.com/mwrlabs/KernelFuzzer) - Cross Platform Kernel Fuzzer Framework.
359 |
360 | [honggfuzz](http://honggfuzz.com/) - A general-purpose, easy-to-use fuzzer with interesting analysis options.
361 |
362 | [Hodor Fuzzer](https://github.com/nccgroup/hodor) - Yet Another general purpose fuzzer.
363 |
364 | [libFuzzer](http://llvm.org/docs/LibFuzzer.html) - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.
365 |
366 | [syzkaller](https://github.com/google/syzkaller) - Distributed, unsupervised, coverage-guided Linux syscall fuzzer.
367 |
368 | [ansvif](https://oxagast.github.io/ansvif/) - An advanced cross platform fuzzing framework designed to find vulnerabilities in C/C++ code.
369 |
370 | [Tribble](https://github.com/SatelliteApplicationsCatapult/tribble) - Easy-to-use, coverage-guided JVM fuzzing framework.
371 |
372 | [go-fuzz](https://github.com/dvyukov/go-fuzz) - Coverage-guided testing of go packages.
373 |
374 | [FExM](https://github.com/fgsect/fexm) - Automated Large-Scale Fuzzing Framework
375 |
376 | [Jazzer](https://github.com/CodeIntelligenceTesting/jazzer) - A coverage-guided, in-process fuzzer for the Java Virtual Machine based on libFuzzer.
377 |
378 | [cifuzz](https://github.com/CodeIntelligenceTesting/cifuzz) - A command line tool for executing coverage-guided fuzz tests in multiple languages and targets.
379 |
380 | [WebGL Fuzzer](https://github.com/ant4g0nist/webgl-fuzzer) - WebGL Fuzzer
381 |
382 | [fast-check](https://fast-check.dev/) - A fuzzer tool written in TypeScript and designed to run un-expected inputs against JavaScript code.
383 |
384 | ### Taint Analysis
385 | *How user input affects the execution*
386 |
387 | [PANDA ( Platform for Architecture-Neutral Dynamic Analysis )](https://github.com/moyix/panda)
388 |
389 | [QIRA (QEMU Interactive Runtime Analyser)](http://qira.me/)
390 |
391 | [kfetch-toolkit](https://github.com/j00ru/kfetch-toolkit) - Tool to perform advanced logging of memory references performed by operating systems’ kernels
392 |
393 | [moflow](https://github.com/vrtadmin/moflow) - A software security framework containing tools for vulnerability, discovery, and triage.
394 |
395 | ### Symbolic Execution SAT and SMT Solvers
396 |
397 | [Z3](https://github.com/Z3Prover/z3) - A theorem prover from Microsoft Research.
398 |
399 | [SMT-LIB](http://smtlib.cs.uiowa.edu/) - An international initiative aimed at facilitating research and development in Satisfiability Modulo Theories (SMT)
400 |
401 | [Symbolic execution with KLEE: From installation and introduction to bug-finding in open source software](https://adalogics.com/blog/symbolic-execution-with-klee) - A set of four instructional videos introducing KLEE, starting with how to get started with KLEE and ending with a demo that finds memory corruption bugs in real code.
402 |
403 | ### References
404 |
405 | I haven't included some of the legends like AxMan, please refer the following link for more information.
406 | https://www.ee.oulu.fi/research/ouspg/Fuzzers
407 |
408 |
409 | ### Essential Tools
410 |
411 | *Tools of the trade for exploit developers, reverse engineers*
412 |
413 |
414 | #### Debuggers
415 |
416 |
417 | [Windbg](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools) - The preferred debugger by exploit writers.
418 |
419 | [Immunity Debugger](http://debugger.immunityinc.com) - Immunity Debugger by Immunity Sec.
420 |
421 | [OllyDbg ](http://www.ollydbg.de/) - The debugger of choice by reverse engineers and exploit writers alike.
422 |
423 | [Mona.py ( Plugin for windbg and Immunity dbg )](https://github.com/corelan/mona/) - Awesome tools that makes life easy for exploit developers.
424 |
425 | [x64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.
426 |
427 | [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - Front end for gdb.
428 |
429 | [GDB - Gnu Debugger](http://www.sourceware.org/gdb/) - The favorite linux debugger.
430 |
431 | [PEDA](https://github.com/longld/peda) - Python Exploit Development Assistance for GDB.
432 |
433 | [Radare2](http://www.radare.org/r/) - Framework for reverse-engineering and analyzing binaries.
434 |
435 |
436 | #### Disassemblers and some more
437 |
438 | *Dissemblers, disassembly frameworks etc.,*
439 |
440 |
441 | [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - The best disassembler
442 |
443 | [binnavi](https://github.com/google/binnavi) - Binary analysis IDE, annotates control flow graphs and call graphs of disassembled code.
444 |
445 | [Capstone](https://github.com/aquynh/capstone) - Capstone is a lightweight multi-platform, multi-architecture disassembly framework.
446 |
447 |
448 | #### Others
449 |
450 | [ltrace](http://ltrace.org/) - Intercepts library calls
451 |
452 | [strace](https://sourceforge.net/projects/strace/) - Intercepts system calls
453 |
454 |
455 | ## Vulnerable Applications
456 |
457 | Exploit-DB - https://www.exploit-db.com
458 | (search and pick the exploits, which have respective apps available for download, reproduce the exploit by using fuzzer of your choice)
459 |
460 | PacketStorm - https://packetstormsecurity.com/files/tags/exploit/
461 |
462 | [Fuzzgoat](https://github.com/fuzzstati0n/fuzzgoat) - Vulnerable C program for testing fuzzers.
463 |
464 | [vulnserver](https://github.com/stephenbradshaw/vulnserver) - A vulnerable server for testing fuzzers.
465 |
466 |
467 | ##### Samples files for seeding during fuzzing:
468 |
469 | https://files.fuzzing-project.org/
470 |
471 | [PDF Test Corpus from Mozilla](https://github.com/mozilla/pdf.js/tree/master/test/pdfs)
472 |
473 | [MS Office file format documentation](https://www.microsoft.com/en-us/download/details.aspx?id=14565)
474 |
475 | [Fuzzer Test Suite](https://github.com/google/fuzzer-test-suite) - Set of tests for fuzzing engines. Includes different well-known bugs such as Heartbleed, c-ares $100K bug and others.
476 |
477 | [Fuzzing Corpus](https://github.com/strongcourage/fuzzing-corpus) - A corpus, including various file formats for fuzzing multiple targets in the fuzzing literature.
478 |
479 | ## Anti Fuzzing
480 |
481 | [Introduction to Anti-Fuzzing: A Defence In-Depth Aid](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/january/introduction-to-anti-fuzzing-a-defence-in-depth-aid/)
482 |
483 | [Fuzzification: Anti-Fuzzing Techniques](https://www.usenix.org/conference/usenixsecurity19/presentation/jung)
484 |
485 | [AntiFuzz: Impeding Fuzzing Audits of Binary Executables](https://www.usenix.org/conference/usenixsecurity19/presentation/guler)
486 |
487 | ## Directed Fuzzing
488 |
489 | [Awesome Directed Fuzzing](https://github.com/strongcourage/awesome-directed-fuzzing): A curated list of awesome directed fuzzing research papers.
490 |
491 | ## Contributing
492 |
493 | [Please refer the guidelines at contributing.md for details](Contributing.md).
494 |
495 | Thanks to the following folks who made contributions to this project.
496 | + [Tim Strazzere](https://twitter.com/timstrazz)
497 | + [jksecurity](https://github.com/jksecurity)
498 | + [and these awesome people](https://github.com/secfigo/Awesome-Fuzzing/graphs/contributors)
499 |
--------------------------------------------------------------------------------
/README_ch.md:
--------------------------------------------------------------------------------
1 | Fuzzing 大合集 [](https://github.com/sindresorhus/awesome)
2 | ===================
3 |
4 | 这是一个在学习 fuzzing 的最初阶段最好的有关 fuzzing 的资源合集(书籍、课程、视频、教程等等)
5 |
6 | ### Table of Contents
7 | - [书籍](#书籍)
8 | - [课程](#课程)
9 | + [免费](#免费)
10 | + [付费](#付费)
11 | - [视频](#videos)
12 | + [NYU Poly Course videos](#nyu-poly-videos)
13 | + [Conference talks/tutorials on Fuzzing](#conf-talks-tutorials)
14 | - [教程](#教程)
15 | - [工具](#工具)
16 | + [云 Fuzzer](#cloud-fuzzers)
17 | + [文件格式 Fuzzer](#文件格式Fuzzer)
18 | + [网络协议 Fuzzer](#网络协议Fuzzer)
19 | + [浏览器 Fuzzer](#浏览器Fuzzer)
20 | + [污点分析](#taint-analysis)
21 | + [符号执行 + SAT/SMT求解器](#符号执行)
22 | + [基本工具(通用)](#基本工具(通用))
23 | - [存在漏洞的应用程序](#存在漏洞的应用程序)
24 | - [反Fuzzing](#反Fuzzing)
25 | - [导向性Fuzzing](#导向性Fuzzing)
26 | - [贡献](#贡献)
27 |
28 | Awesome Fuzzing Resources
29 | -------------
30 |
31 |
32 | ## 书籍
33 |
34 | *关于 fuzzing 的书籍*
35 |
36 | + [Fuzzing: Brute Force Vulnerability Discovery](https://www.amazon.com/Fuzzing-Brute-Force-Vulnerability-Discovery/dp/0321446119) 作者: Michael Sutton, Adam Greene, Pedram Amini
37 |
38 | + [Fuzzing for Software Security Testing and Quality Assurance ](https://www.amazon.com/Fuzzing-Software-Security-Assurance-Information/dp/1596932147) 作者: Ari Takanen, Charles Miller, Jared D Demott
39 |
40 | + [Open Source Fuzzing Tools](https://www.amazon.com/Open-Source-Fuzzing-Tools-Rathaus/dp/1597491950) 作者: Gadi Evron, Noam Rathaus
41 |
42 | + [Gray Hat Python](https://www.amazon.com/Gray-Hat-Python-Programming-Engineers/dp/1593271921) 作者: Justin Seitz
43 |
44 | + [The Fuzzing Book](https://www.fuzzingbook.org/) 作者: Andreas Zeller, Rahul Gopinath, Marcel Böhme, Gordon Fraser, Christian Holler.
45 |
46 |
47 | > **Note:** 下列书籍中的部分章节也描述了 fuzzing
48 |
49 | > - [The Shellcoder's Handbook: Discovering and Exploiting Security Holes ( Chapter 15 )](https://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X) 作者 Chris Anley, Dave Aitel, David Litchfield 等
50 |
51 | > - [iOS Hacker's Handbook - Chapter 1](https://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123) 作者: Charles Miller, Dino DaiZovi, Dion Blazakis, Ralf-Philip Weinmann, and Stefan Esser
52 |
53 | > - [IDA Pro - The IDA Pro Book: 世界上最流行的反汇编工具的非官方指导书](https://www.amazon.com/IDA-Pro-Book-2nd-ebook/dp/B005EI84TM)
54 |
55 |
56 |
57 | ## 课程
58 |
59 | *与 fuzzing 有关的课程/培训*
60 |
61 |
62 |
63 | ### 免费
64 |
65 | [NYU Poly ( see videos for more )](https://vimeo.com/5236104 ) - Dan Guido 出品的免费指导
66 |
67 | [Samclass.info ( check projects section and chapter 17 ) ](https://samsclass.info/127/127_F15.shtml) - Sam 出品
68 |
69 | [Modern Binary Exploitation ( RPISEC ) - Chapter 15 ](https://github.com/RPISEC/MBE) - RPISEC 出品
70 |
71 | [Offensive Computer Security - Week 6](http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html) - W. Owen Redwood 和 Prof. Xiuwen Liu 出品
72 |
73 |
74 |
75 | ### 付费
76 |
77 | [Offensive Security, Cracking The Perimeter ( CTP ) and Advanced Windows Exploitation ( AWE )](https://www.offensive-security.com/information-security-training/)
78 |
79 | [SANS 660/760 Advanced Exploit Development for Penetration Testers](https://www.sans.org/course/advanced-exploit-development-penetration-testers)
80 |
81 | [Exodus Intelligence - 漏洞挖掘大师级课程](https://blog.exodusintel.com/2016/05/18/exodus-intelligence-2016-training-course/)
82 |
83 |
84 |
85 | ## 视频
86 |
87 | *讨论 fuzzing 技术、工具、最佳实践的视频*
88 |
89 |
90 | ### NYU Poly Course videos (from Dan Guido)
91 |
92 | [Fuzzing 101 (Part 1)](https://vimeo.com/5236104) - Mike Zusman 出品
93 |
94 | [Fuzzing 101 (Part 2)](https://vimeo.com/5237484) - Mike Zusman 出品
95 |
96 | [Fuzzing 101 (2009)](https://vimeo.com/7574602) - Mike Zusman 出品
97 |
98 | [Fuzzing - Software Security Course on Coursera](https://www.coursera.org/lecture/software-security/fuzzing-VgyOn) - 马里兰大学出品
99 |
100 |
101 |
102 | ### 关于 Fuzzing 的会议讨论/教程
103 |
104 | [攻击反病毒软件的内核驱动](https://github.com/bee13oy/AV_Kernel_Vulns/tree/master/Zer0Con2017)
105 |
106 | [Fuzzing Windows 内核 - OffensiveCon 2020](https://github.com/yoava333/presentations/blob/master/Fuzzing%20the%20Windows%20Kernel%20-%20OffensiveCon%202020.pdf)
107 |
108 | [Youtube 上关于 Fuzzing 演讲的内容](https://www.youtube.com/playlist?list=PLtPrYlwXDImiO_hzK7npBi4eKQQBgygLD) - 列表内有许多优质内容
109 |
110 | [浏览器漏洞狩猎](https://vimeo.com/109380793) - Atte Kettunen 出品
111 |
112 | [应用马尔科夫链、基于覆盖度的灰盒 Fuzzing](https://www.comp.nus.edu.sg/~mboehme/paper/CCS16.pdf)
113 |
114 | [DerbyCon 2016: Fuzzing 如何击溃软件](http://www.irongeek.com/i.php?page=videos/derbycon6/411-fuzzing-basicshow-to-break-software-grid-aka-scott-m)
115 |
116 | [Fuzz Theory](https://www.youtube.com/watch?v=5rE8xEg5tXk&list=PLSkhUfcCXvqG6FRTCCxIfoMK6rw3NZvb6)
117 |
118 |
119 |
120 | ## 教程与博客
121 |
122 | *解释 fuzzing 方法、技术与最佳实践的教程与博客*
123 |
124 | [Fuzzing Closed Source PDF Viewers](https://www.gosecure.net/blog/2019/07/30/fuzzing-closed-source-pdf-viewers/)
125 |
126 | [Effective File Format Fuzzing](https://j00ru.vexillium.org/slides/2016/blackhat.pdf) - Mateusz “j00ru” Jurczyk @ Black Hat Europe 2016, London
127 |
128 | [A year of Windows kernel font fuzzing Part-1 the results](https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html) - Google Zero 项目的最佳论文,描述了如何进行 fuzzing 以及如何构建一个 fuzzer
129 |
130 | [A year of Windows kernel font fuzzing Part-2 the techniques](https://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html) - Google Zero 项目的最佳论文,描述了如何进行 fuzzing 以及如何构建一个 fuzzer
131 |
132 | [Interesting bugs and resources at fuzzing project](https://blog.fuzzing-project.org/) - fuzzing-project.org 出品
133 |
134 | [Fuzzing workflows; a fuzz job from start to finish](https://foxglovesecurity.com/2016/03/15/fuzzing-workflows-a-fuzz-job-from-start-to-finish/) - @BrandonPrry 出品
135 |
136 | [A gentle introduction to fuzzing C++ code with AFL and libFuzzer](http://jefftrull.github.io/c++/clang/llvm/fuzzing/sanitizers/2015/11/27/fuzzing-with-sanitizers.html) - Jeff Trull 出品
137 |
138 | [15 分钟介绍 fuzzing](https://www.mwrinfosecurity.com/our-thinking/15-minute-guide-to-fuzzing/) - MWR Security 出品
139 |
140 | > **Note:** Folks at fuzzing.info 收集了很多非常有用的链接,我没有重复他们的工作,我只是整理了 2015 年到 2016 年间他们没有收录的文章
141 | [Fuzzing Papers](https://fuzzing.info/papers/) - fuzzing.info 出品
142 |
143 | [Fuzzing 博客](https://fuzzing.info/resources/) - fuzzing.info 出品
144 |
145 | [Root Cause Analysis of the Crash during Fuzzing](https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/) - Corelan Team 出品
146 | [Root cause analysis of integer flow](https://www.corelan.be/index.php/2013/07/02/root-cause-analysis-integer-overflows/) - Corelan Team 出品
147 |
148 | [Creating custom peach fuzzer publishers](http://blog.opensecurityresearch.com/2014/01/creating-custom-peach-fuzzer-publishers.html) - Open Security Research 出品
149 |
150 | [在 Fuzzing 大型开源项目前要考虑的 7 件事](https://www.linuxfoundation.org/blog/2016/02/7-things-to-consider-before-fuzzing-a-large-open-source-project/) - Emily Ratliff
151 |
152 | ##### 从 Fuzzing 到 Exploit
153 |
154 | [从 fuzzing 到 0-day](https://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/) - Harold Rodriguez(@superkojiman) 出品
155 |
156 | [从 crash 到 exploit](https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/) - Corelan Team 出品
157 |
158 | ##### Peach Fuzzer 相关教程
159 |
160 | [Peach 上手指南](http://community.peachfuzzer.com/v2/PeachQuickstart.html)
161 | [使用 Peach 进行 Fuzzing Part 1](http://www.flinkd.org/2011/07/fuzzing-with-peach-part-1/) - Jason Kratzer of corelan team 出品
162 | [使用 Peach 进行 Fuzzing Part 2](http://www.flinkd.org/2011/11/fuzzing-with-peach-part-2-fixups-2/) - Jason Kratzer of corelan team 出品
163 | [Peach pit 文件的自动生成](http://doc.netzob.org/en/latest/tutorials/peach.html) - Frédéric Guihéry, Georges Bossert 出品
164 |
165 | ##### AFL Fuzzer 相关教程
166 |
167 | [Creating a fuzzing harness for FoxitReader 9.7 ConvertToPDF Function](https://christopher-vella.com/2020/02/28/creating-a-fuzzing-harness-for-foxitreader-9-7-converttopdf-function/)
168 |
169 | [通过 Fuzzing Adobe Reader 在 50 天获得 50 个 CVE](https://research.checkpoint.com/2018/50-adobe-cves-in-50-days/)
170 |
171 | [Fuzzing sockets 第一部分:FTP servers](https://securitylab.github.com/research/fuzzing-sockets-FTP)
172 |
173 | [Fuzzing software 第一部分:常见挑战与解决方案](https://securitylab.github.com/research/fuzzing-challenges-solutions-1)
174 |
175 | [Fuzzing software 第二部分:高级技巧](https://securitylab.github.com/research/fuzzing-software-2)
176 |
177 | [Fuzzing 工作流程,包含 fuzz 的始末](https://foxglovesecurity.com/2016/03/15/fuzzing-workflows-a-fuzz-job-from-start-to-finish/) - @BrandonPrry 出品
178 |
179 | [使用 AFL persistent 模式对 capstone 进行 Fuzzing](https://toastedcornflakes.github.io/articles/fuzzing_capstone_with_afl.html) - @toasted_flakes 出品
180 |
181 | [RAM disks and saving your SSD from AFL Fuzzing](http://cipherdyne.org/blog/2014/12/ram-disks-and-saving-your-ssd-from-afl-fuzzing.html)
182 |
183 | [使用 AFL 进行 Bug 挖掘](https://josephg.com/blog/bug-hunting-with-american-fuzzy-lop/)
184 |
185 | [AFL 在真实示例中的高级用法](https://volatileminds.net/2015/07/01/advanced-afl-usage.html)
186 |
187 | [Segfaulting Python with afl-fuzz](https://tomforb.es/segfaulting-python-with-afl-fuzz)
188 |
189 | [使用 AFL-Fuzz 进行 Fuzzing 的实例( AFL vs Binutils )](https://www.evilsocket.net/2015/04/30/fuzzing-with-afl-fuzz-a-practical-example-afl-vs-binutils/)
190 |
191 | [Fuzzing 模拟器的重要性](https://mgba.io/2016/09/13/fuzzing-emulators/)
192 |
193 | [心脏滴血漏洞是如何被发现的](https://blog.hboeck.de/archives/868-How-Heartbleed-couldve-been-found.html)
194 |
195 | [用 AFL 进行文件系统 Fuzzing](https://events.static.linuxfound.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf)
196 |
197 | [使用 AFL 对 Perl/XS 进行模糊测试](https://medium.com/@dgryski/fuzzing-perl-xs-modules-with-afl-4bfc2335dd90)
198 |
199 | [如何使用 AFL 对服务器进行模糊测试](https://www.fastly.com/blog/how-fuzz-server-american-fuzzy-lop) - by Jonathan Foote
200 |
201 | [一系列真实漏洞的挑战:使用 AFL 完成模糊测试](https://github.com/ThalesIgnite/afl-training)
202 |
203 | [Fuzzing 101 - PHDays](https://github.com/RootUp/PHDays9)
204 |
205 | ##### libFuzzer 相关教程
206 |
207 | [libFuzzer 教程](https://github.com/google/fuzzer-test-suite/blob/master/tutorial/libFuzzerTutorial.md)
208 |
209 | [狩猎 VirtualBox 的漏洞](http://blog.paulch.ru/2020-07-26-hunting-for-bugs-in-virtualbox-first-take.html)
210 |
211 | [如何使用 libFuzzer 对现代 C/C++ 项目进行模糊测试](https://github.com/Dor1s/libfuzzer-workshop)
212 |
213 | ##### honggfuzz 相关教程
214 |
215 | [如何使用 honggfuzz 发现 VLC 中的 Double-Free RCE 漏洞](https://www.pentestpartners.com/security-blog/double-free-rce-in-vlc-a-honggfuzz-how-to/)
216 |
217 | ##### Spike Fuzzer 相关教程
218 |
219 | [使用 Spike 发现溢出漏洞](https://null-byte.wonderhowto.com/how-to/hack-like-pro-build-your-own-exploits-part-3-fuzzing-with-spike-find-overflows-0162789/)
220 |
221 | [使用 Spike 进行模糊测试](https://samsclass.info/127/proj/p18-spike.htm) - Samclass.info 出品
222 |
223 | ##### FOE Fuzzer 相关教程
224 |
225 | [Fuzzing with FOE](https://samsclass.info/127/proj/p16-fuzz.htm) - Samclass.info 出品
226 |
227 |
228 | ##### SMT/SAT 求解器教程
229 |
230 | [Z3 - A guide](https://rise4fun.com/z3/tutorial/guide) - Z3 快速上手指南
231 |
232 | ##### 构建一个反馈驱动的 Fuzzer
233 |
234 | [如何构建一个反馈驱动的 Fuzzer](https://blog.fadyothman.com/tag/myfuzzer/) - by @fady_othman
235 |
236 |
237 |
238 | ## 工具
239 |
240 | *那些在 fuzzing 中能帮上忙的工具*
241 |
242 |
243 | ### 云 Fuzzer
244 |
245 | *可以在云环境中进行模糊测试的模糊测试工具*
246 |
247 | [Cloudfuzzer](https://github.com/ouspg/cloudfuzzer) - 在云环境中自动、便易地进行云 Fuzzing 的框架
248 |
249 | [Fuzzit](https://fuzzit.dev) - Fuzzit 是一个 Fuzzing 即服务的平台,被 systemd, radare2 等多个开源\闭源项目使用,想加入请联系 oss@fuzzit.dev
250 |
251 | ### 文件格式 Fuzzer
252 |
253 | *那些帮助对像 pdf, mp3, swf 等文件格式进行 fuzzing 的 Fuzzers*
254 |
255 | [Rehepapp](https://github.com/FoxHex0ne/Rehepapp)
256 |
257 | [Newer version of Rehepapp](https://github.com/FoxHex0ne/Rehepapp)
258 |
259 | [针对 PE 文件进行静态二进制插桩辅助、结合 WinAFL 的 Fuzzer](https://github.com/wmliang/pe-afl)
260 |
261 | [MiniFuzz](https://www.microsoft.com/en-sg/download/details.aspx?id=21769) - Microsoft 出品的基础文件格式 fuzzing 工具
262 |
263 | [BFF from CERT](https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=507974) - 基础文件格式 fuzzing 框架
264 |
265 | [AFL Fuzzer (Linux only)]( http://lcamtuf.coredump.cx/afl/) - Michal Zalewski aka lcamtuf 开发的 Fuzzer
266 |
267 | [Win AFL](https://github.com/ivanfratric/winafl) - Ivan Fratic 开发的针对 Windows 二进制程序 fuzzing 的 AFL 分支版本
268 |
269 | [Shellphish Fuzzer](https://github.com/shellphish/fuzzer) - 一个操纵 AFL 的 Python 接口,可以简单的写入测试用例与其他功能
270 |
271 | [TriforceAFL](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/project-triforce-run-afl-on-everything/) - 一个 AFL 的修正版,支持应用源码无法获得情况下的 fuzzing
272 |
273 | [AFLGo](https://github.com/aflgo/aflgo) - 基于 AFL 构建的导向性灰盒 Fuzzing,针对程序特定位置进行模糊测试
274 |
275 | [Peach Fuzzer](https://sourceforge.net/projects/peachfuzz/) - 帮助创建传统 dumb 以及小型 fuzzer 的框架
276 |
277 | [MozPeach](https://github.com/MozillaSecurity/peac://github.com/MozillaSecurity/peach) - 由 Mozilla Security 开发基于 peach 2.7 版本的分支版本
278 |
279 | [Failure Observation Engine (FOE)](https://vuls.cert.org/confluence/display/tools/CERT+FOE+-+Failure+Observation+Engine) - 基于畸形文件的 Windows 程序 Fuzzing 工具
280 |
281 | [rmadair](http://rmadair.github.io/fuzzer/) - 基于畸形文件的 fuzzer,使用 PyDBG 来监视感兴趣的信号
282 |
283 | [honggfuzz](http://honggfuzz.com/) - 支持反馈驱动、基于代码覆盖率的通用、易用型 Fuzzer
284 |
285 | [zzuf](https://github.com/samhocevar/zzuf) - 一个透明应用输入 fuzzer,可以拦截文件操作、改变程序输入的随机位
286 |
287 | [radamsa](https://github.com/aoh/radamsa) - 通用的 fuzzer,测试用例生成器
288 |
289 | [binspector](https://github.com/binspector/binspector) - 二进制格式分析与模糊测试工具
290 |
291 | [grammarinator](https://github.com/renatahodovan/grammarinator) - 基于 ANTLR v4 语法的文件格式模糊测试工具(ANTLR 项目已有大量的语法)
292 |
293 |
294 |
295 | ### 网络协议 Fuzzer
296 |
297 | *那些帮助对像 HTTP, SSH, SMTP 等网络协议进行 fuzzing 的 Fuzzer*
298 |
299 | [Peach Fuzzer](https://sourceforge.net/projects/peachfuzz/) - 帮助创建传统 dumb 以及小型 fuzzer 的框架
300 |
301 | [Sulley](https://github.com/OpenRCE/sulley) - Michael Sutton 开发,包含多个可扩展组件的 Fuzzer 开发与 Fuzzing 测试框架
302 |
303 | [boofuzz](https://github.com/jtpereyda/boofuzz) - Sulley 框架的继任者
304 |
305 | [Spike](http://www.immunitysec.com/downloads/SPIKE2.9.tgz) - 像 sulley 的 fuzzer 开发框架,是 sulley 的前身
306 |
307 | [Metasploit Framework](https://github.com/rapid7/metasploit-framework) - 通过 Auxiliary 模块使其具有了 fuzzing 能力的框架
308 |
309 | [Nightmare](https://github.com/joxeankoret/nightmare) - 一个带有 Web 管理界面的分布式 fuzzing 测试套件,支持对网络协议进行 fuzzing
310 |
311 | [rage_fuzzer](https://github.com/deanjerkovich/rage_fuzzer) - 未知协议包 fuzzer
312 |
313 | [Fuzzotron](https://github.com/denandz/fuzzotron) - 支持 TCP、UDP 的简单多进程网络 Fuzzer
314 |
315 | [Mutiny](https://github.com/Cisco-Talos/mutiny-fuzzer) - 通过重放畸变的 PCAP 数据包来对网络进行 Fuzzer
316 |
317 | [Fuzzing For Worms](https://github.com/dobin/ffw) - 用于网络服务的 Fuzzing 框架
318 |
319 | [AFL (w/ networking patch)](https://github.com/jdbirdwell/afl) - 用于网络 Fuzzing 的非官方版 AFL
320 |
321 | [AFLNet](https://github.com/aflnet/aflnet) - 用于网络协议的灰盒 Fuzzer(AFL 的扩展)
322 |
323 | ### 浏览器Fuzzer
324 |
325 | [BFuzz](https://github.com/RootUp/BFuzz) - An input based, browser fuzzing framework.
326 |
327 |
328 |
329 | ### 杂项,内核 Fuzzer,通用 Fuzzer
330 |
331 | [Choronzon](https://github.com/CENSUS/choronzon) - 基于遗传知识的 Fuzzer
332 |
333 | [QuickFuzz](https://github.com/CIFASIS/QuickFuzz) - Haskell 写的针对第三方软件使用常见文件格式进行测试的工具,利用现成的、知名的 Fuzzer
334 |
335 | [gramfuzz](https://github.com/d0c-s4vage/gramfuzz) - 可定义复杂语法来建模文档与二进制数据格式的基于语法的 Fuzzer
336 |
337 | [KernelFuzzer](https://github.com/mwrlabs/KernelFuzzer) - 跨平台内核 Fuzzer 框架
338 |
339 | [honggfuzz](http://honggfuzz.com/) - 带有分析选项的通用、易用型 fuzzer
340 |
341 | [Hodor Fuzzer](https://github.com/nccgroup/hodor) - 曾经是另一个通用的 fuzzer
342 |
343 | [libFuzzer](http://llvm.org/docs/LibFuzzer.html) - 面向 C/C++ 程序、基于覆盖度的进化模糊测试工具
344 |
345 | [syzkaller](https://github.com/google/syzkaller) - 分布式、无监督、基于覆盖度的 Linux 系统调用模糊测试工具
346 |
347 | [ansvif](https://oxagast.github.io/ansvif/) - 用于在 C/C++ 程序中查找漏洞的高级跨平台模糊测试框架
348 |
349 | [Tribble](https://github.com/SatelliteApplicationsCatapult/tribble) - 易用、覆盖度指导的 JVM 模糊测试框架
350 |
351 | [go-fuzz](https://github.com/dvyukov/go-fuzz) - 覆盖度指导的 go 包模糊测试
352 |
353 |
354 |
355 | ### 流分析(用户输入如何影响执行)
356 |
357 | [PANDA ( Platform for Architecture-Neutral Dynamic Analysis )](https://github.com/moyix/panda)
358 |
359 | [QIRA (QEMU Interactive Runtime Analyser)](http://qira.me/)
360 |
361 | [kfetch-toolkit](https://github.com/j00ru/kfetch-toolkit) - 用于记录操作系统内核执行的内存引用的高级日志工具
362 |
363 | [moflow](https://github.com/vrtadmin/moflow) - 软件安全框架,包括漏洞的挖掘和修补
364 |
365 |
366 |
367 | ### 符号执行 + SAT/SMT 求解器
368 |
369 | [Z3](https://github.com/Z3Prover/z3)
370 |
371 | [SMT-LIB](http://smtlib.cs.uiowa.edu/)
372 |
373 | ### 参考
374 |
375 | 我没有把全部的东西都纳进来,比如 AxMan,请参考以下链接获取更多信息
376 | https://www.ee.oulu.fi/research/ouspg/Fuzzers
377 |
378 |
379 |
380 | ### 基本工具(通用)
381 |
382 | *漏洞利用工具开发者、逆向工程师常用的工具*
383 |
384 |
385 | #### 调试工具
386 |
387 | [Windbg](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools) - 漏洞利用者常用的调试器
388 |
389 | [Immunity Debugger](http://debugger.immunityinc.com) - Immunity Sec 出品的调试器
390 |
391 | [OllyDbg](http://www.ollydbg.de/) - 逆向工程师的常见选择
392 |
393 | [Mona.py ( Plugin for windbg and Immunity dbg )](https://github.com/corelan/mona/) - 漏洞利用开发者的绝佳工具
394 |
395 | [x64dbg](https://github.com/x64dbg/) - 开源 Windows x64/x32 调试器
396 |
397 | [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - Front end for gdb.
398 |
399 | [GDB - Gnu Debugger](http://www.sourceware.org/gdb/) - 最好的 Linux 调试器
400 |
401 | [PEDA](https://github.com/longld/peda) - Python 开发的 GDB 辅助程序
402 |
403 | [Radare2](http://www.radare.org/r/) - 逆向工程与程序分析的框架
404 |
405 |
406 |
407 | #### 反汇编工具
408 |
409 | *反汇编工具、反汇编框架等*
410 |
411 | [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - 最好的反汇编工具
412 |
413 | [binnavi](https://github.com/google/binnavi) - 二进制程序分析 IDE,注释反汇编代码的控制流图与调用图
414 |
415 | [Capstone](https://github.com/aquynh/capstone) - Capstone 是一个轻量、跨平台、多架构支持的反汇编框架
416 |
417 |
418 |
419 | #### 其他
420 |
421 | [ltrace](http://ltrace.org/) - 库调用拦截
422 |
423 | [strace](https://sourceforge.net/projects/strace/) - 系统调用拦截
424 |
425 |
426 |
427 |
428 | ## 存在漏洞的应用程序
429 |
430 | [Exploit-DB](https://www.exploit-db.com)
431 | 搜索、选取漏洞,有些提供了程序下载,可以通过你选择试用的 fuzzer 对利用进行复现
432 |
433 | [PacketStorm](https://packetstormsecurity.com/files/tags/exploit/)
434 |
435 | [Fuzzgoat](https://github.com/fuzzstati0n/fuzzgoat) - 对有漏洞的 C 程序模糊测试的工具
436 |
437 | [vulnserver](https://github.com/stephenbradshaw/vulnserver) - 用来测试 Fuzzer 的存在漏洞的服务器
438 |
439 | ##### fuzzing 期间种子样本文件
440 |
441 | https://files.fuzzing-project.org/
442 |
443 | [PDF Test Corpus from Mozilla](https://github.com/mozilla/pdf.js/tree/master/test/pdfs)
444 |
445 | [MS Office file format documentation](https://www.microsoft.com/en-us/download/details.aspx?id=14565)
446 |
447 | [Fuzzer Test Suite](https://github.com/google/fuzzer-test-suite) - 模糊测试引擎的测试集,包括许多知名的 Bug,如 Heartbleed、c-ares $100K bug 等
448 |
449 | [Fuzzing Corpus](https://github.com/strongcourage/fuzzing-corpus) - 包含多种文件格式、用于 Fuzzing 的语料库
450 |
451 |
452 |
453 | ## 反Fuzzing
454 |
455 | [Anti-Fuzzing 的介绍:纵深防御的辅助](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/january/introduction-to-anti-fuzzing-a-defence-in-depth-aid/)
456 |
457 | [Fuzzification: 反 Fuzzing 技术](https://www.usenix.org/conference/usenixsecurity19/presentation/jung)
458 |
459 | [AntiFuzz: 阻止对二进制可执行文件的 Fuzzing](https://www.usenix.org/conference/usenixsecurity19/presentation/guler)
460 |
461 | ## 导向性Fuzzing
462 |
463 | [Awesome Directed Fuzzing](https://github.com/strongcourage/awesome-directed-fuzzing): 导向性 Fuzzing 研究论文的列表
464 |
465 |
466 |
467 | ## 贡献
468 |
469 | [请查看 contributing.md 中关于细节的介绍](Contributing.md).
470 |
471 | 感谢下列人员对这个项目的贡献:
472 | + [Tim Strazzere](https://twitter.com/timstrazz)
473 | + [jksecurity](https://github.com/jksecurity)
474 | + [and these awesome people](https://github.com/secfigo/Awesome-Fuzzing/graphs/contributors)
475 |
--------------------------------------------------------------------------------