Hacking Tools p

Published on December 17th, 2016 | 692 views Post Views

PyJFuzz – Python JSON Fuzzer

PyJFuzz is a small, extensible and ready-to-use framework used to fuzz JSON inputs , such as mobile endpoint REST API, JSON implementation, Browsers, cli executable and much more.

Version 1.1.0
Homepage http://www.mseclab.com/
Github https://github.com/mseclab/PyJFuzz
Author Daniele Linguaglossa ( @dzonerzy ” class=”wp-links-icon”>@dzonerzy )
License MIT – (see LICENSE file)

In order to work PyJFuzz need a single dependency, bottle , you can install it from automatic setup.py installation.
You can install PyJFuzz with the following command

git clone https://github.com/mseclab/PyJFuzz.git && cd PyJFuzz && sudo python setup.py install

Documentation and Examples
CLI tool
Once installed PyJFuzz will create both a python library and a command-line utility called pjf (screenshot below)


PyJFuzz could also work as a library, you can import in your project like following

from pyjfuzz.lib import *

The available object/class are the following:

  • PJFServer – User to start and stop built-in HTTP and HTTPS servers
  • PJFProcessMonitor – Used to monitor process crash, it will automatically restart proccess each time it crash
  • PJFTestcaseServer – The testcase server is used in conjunction with PJFProcessMonitor, whenever a process crash the testcase server will register and store the JSON which cause the crash
  • PJFFactory – It’s the main object used to do the real fuzz of JSON objects
  • PJFConfiguration – It’s the configuration file for each of the available objects
  • PJFExternalFuzzer – Used by PJFactory is a auxiliary class which provide an interface to other command line fuzzer such as radamsa
  • PJFMutation – Used by PJFFactory provide all the mutation used during fuzzing session
  • PJFExecutor – Provides an interface to interact with external process

Below some trivial example of how-to implement PyJFuzz powered program

from argparse import Namespace
from pyjfuzz.lib import *

config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6))
fuzzer = PJFFactory(config)
while True:
    print fuzzer.fuzzed


from argparse import Namespace
from pyjfuzz.lib import *

config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, debug=True, indent=True))

Sometimes you may need to modify standard non customizable settings such as HTTPS or HTTP server port, this can be done in the following way

from argparse import Namespace
from pyjfuzz.lib import *

config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, indent=True))
print config.ports["servers"]["HTTP_PORT"]   # 8080
print config.ports["servers"]["HTTPS_PORT"]  # 8443
print config.ports["servers"]["TCASE_PORT"]  # 8888
config.ports["servers"]["HTTPS_PORT"] = 443  # Change HTTPS port to 443

Remember : When changing default ports, you should always handle exception due to needed privileges!
Below a comprehensive list of all available settings / customization of PJFConfiguration object:
Configuration table

Name Type Description
json dict JSON object to fuzz
json_file str Path to a JSON file
parameters list<str> List of parameters to fuzz (taken from JSON object)
techniques list<int> List of polyglot attack, used to generate fuzzed JSON, such as XSS, LFI etc. They are in the range 0-13 (Look techniques table )
level int Fuzzing level in the range 0-6
utf8 bool If true switch from unicode encode to pure byte representation
indent bool Set whenever to indent the result object
url_encode bool Set whenever to URLEncode the result object
strong_fuzz bool Set whenever to use strong fuzzing (strong fuzzing will not maintain JSON structure, usefull for parser fuzzing)
debug bool Set whenever to enable debug prints
exclude bool Exclude from fuzzing parameters selected by parameters option
notify bool Set whenever to notify process monitor when a crash occurs only used with PJFServer
html str Path to an HTML directory to serve within PJFServer
ext_fuzz bool Set whenever to use binary from “command” as an externale fuzzer
cmd_fuzz bool Set whenever to use binary from “command” as fuzzer target
content_type str Set the content type result of PJFServer (default application/json )
command list<str> Command to execute each paramester is a list element, you could use shlex.split from python

Techniques table

Index Description
0 XSS injection (Polyglot)
1 SQL injection (Polyglot)
2 LFI attack
3 SQL injection polyglot (2)
4 XSS injection (Polyglot) (2)
5 RCE injection (Polyglot)
6 LFI attack (2)
7 Data URI attack
8 LFI and HREF attack
9 Header injection
10 RCE injection (Polyglot) (2)
11 Generic templace injection
12 Flask template injection
13 Random character attack

Below some screenshot just to let you know what you should expect from PyJFuzz



Built-in tool
PyJFuzz is shipped with a built-in tool called PyJFuzz Web Fuzzer , this tool will provide an automatic fuzzing console via HTTP and HTTPS server, it can be used to easly fuzz almost any web browser even when you can’t control the process state!
There are two switch used to launch this tool (–browser-auto and –fuzz-web), the first one perform automatic browser restart when a crash occur, the other one try to catch when a browser doesn’t make requests anymore. Both of them always save the testcases, below some screenshots.



Thanks for using PyJFuzz!
Happy Fuzzing from mseclab

Download PyJFuzz

Share on Facebook0Share on Google+1Tweet about this on TwitterShare on Reddit0Email this to someonePrint this pageShare on StumbleUpon0Digg thisPin on Pinterest0Share on LinkedIn0

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑

You Might Also Like:
Sherlock – Tool to find missing Windows patches for Local Privilege Escalation Vulnerabilities

PowerShell script to quickly find missing Microsoft patches for local privilege escalation vulnerabilities. Currently looks for: MS10-015 : User Mode...