Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding long padding fuzzing strategy and a randomized flag for https #1

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

adding long padding fuzzing strategy and a randomized flag for https #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 17 additions & 14 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ The following HTTP fuzzers are provided (for example domain `example.com`).
| 14 | HostName Alternate | Repeat or modify domains in certain ways | "" | 5 |
| 15 | Hostname TLD Alternate | Provide different TLD to domain | example.net | 10 |
| 16 | Hostname Subdomain Alternate | Provide different subdomain | mail.example.net | 10 |
| 17 | Hostname Long Padding | Padding space characters to hostname | example.com | 27 |

The following HTTPS fuzzers are provided (for example domain `example.com`).

Expand All @@ -40,6 +41,7 @@ The following HTTPS fuzzers are provided (for example domain `example.com`).
| 6 | SNI Alternate | Repeat or modify domains in certain ways | " " | 4 |
| 7 | SNI TLD Alternate | Provide different TLD to domain | example.org | 10 |
| 8 | SNI Subdomain Alternate | Provide different subdomain | wiki.example.net | 10 |
| 9 | SNI Long Padding | Padding space characters to SNI | example.com | 27 |


## Installation
Expand All @@ -50,20 +52,21 @@ The following HTTPS fuzzers are provided (for example domain `example.com`).
## Configuration
The following flags can be provided for running measurements:

| Flag | Default | Function | Example |
| ---------------------- | ------------------------ | ------------------------------------------------------ | ------------------------------------------ |
| infile | Required | A csv file with `endpoint, domain` pairs to measure | `examples/input.csv` |
| fuzzer-infile | Required | A csv file with `Fuzzer ID, All permutations? boolean` | `examples/http-fuzz-input.csv` |
| outfile | stdout | File to write output in | `examples/example_direct_http_fuzz.json` |
| uncensored | example.com | Control keyword which is not blocked | |
| num-workers | 1 | Number of workers to run measurements parallely | |
| fuzz-delay | 5 | Number of seconds between unblocked measurements | |
| stateful-delay | 120 | Number of seconds between blocked measurements | |
| protocol | http | HTTP or HTTPS protocol | |
| All | false | If true, run all permutations | |
| iface | "" | Network interface to use to run measurements | |
| srcip | "" | Select source IP address to use (can be used to spoof) | |
| numprobes | 3 | No. of permutations per strategy in case All = false | |
| Flag | Default | Function | Example |
| ---------------------- | ------------------------ | ------------------------------------------------------------ | ------------------------------------------ |
| infile | Required | A csv file with `endpoint, domain` pairs to measure | `examples/input.csv` |
| fuzzer-infile | Required | A csv file with `Fuzzer ID, All permutations? boolean` | `examples/http-fuzz-input.csv` |
| outfile | stdout | File to write output in | `examples/example_direct_http_fuzz.json` |
| uncensored | example.com | Control keyword which is not blocked | |
| num-workers | 1 | Number of workers to run measurements parallely | |
| fuzz-delay | 5 | Number of seconds between unblocked measurements | |
| stateful-delay | 120 | Number of seconds between blocked measurements | |
| protocol | http | HTTP or HTTPS protocol | |
| All | false | If true, run all permutations | |
| iface | "" | Network interface to use to run measurements | |
| srcip | "" | Select source IP address to use (can be used to spoof) | |
| numprobes | 3 | No. of permutations per strategy in case All = false | |
| randomized | false | Randomizes order of extensions and ciphersuites (HTTPS only) | |

The following flags can be provided for analyzing measurements:
| Flag | Default | Function | Example |
Expand Down
2 changes: 2 additions & 0 deletions config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ var UncensoredKeyword string
var Protocol string
var NumberOfProbesPerTest int
var All bool
var Randomized bool
var NumWorkers int
var Iface string
var Srcip string
Expand Down Expand Up @@ -44,6 +45,7 @@ func init() {
flag.StringVar(&Iface, "iface", "", "Interface to send measurements on")
flag.StringVar(&Srcip, "srcip", "", "Source IP to send measurements from")
flag.IntVar(&NumberOfProbesPerTest, "numprobes", 3, "Number of random requests to send per test (default 3)")
flag.BoolVar(&Randomized, "randomized", false, "If true, starts the uTLS Client with the HelloRandomized clientHelloID which randomly adds/reorders extensions, ciphersuites, etc. If false, uses the default HelloGolang clientHelloID. Default - False")

//Analyze config
flag.StringVar(&Dir, "analyze-dir", "", "Directory with fuzz files (required)")
Expand Down
11 changes: 8 additions & 3 deletions connection/connection.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,10 +124,15 @@ func SendHTTPRequest(conn *Connection, request string) interface{} {
return string(response[:responseLength])
}

func SendHTTPSRequest(conn *Connection, config utls.Config) *util.TLSdata {
func SendHTTPSRequest(conn *Connection, tlsconfig utls.Config) *util.TLSdata {
defer conn.Raw.Close()
conn.Raw.SetReadDeadline(time.Now().Add(2 * time.Second))
tlsConn := utls.UClient(conn.Raw, &config, utls.HelloGolang)
var tlsConn *utls.UConn
if config.Randomized {
tlsConn = utls.UClient(conn.Raw, &tlsconfig, utls.HelloRandomized)
} else {
tlsConn = utls.UClient(conn.Raw, &tlsconfig, utls.HelloGolang)
}
defer tlsConn.Close()
//Use refraction networking's utls instead of using crypto/tls to have more flexibility
err := tlsConn.BuildHandshakeState()
Expand All @@ -153,7 +158,7 @@ func SendHTTPSRequest(conn *Connection, config utls.Config) *util.TLSdata {
ServerName: state.ServerName,
}

getRequest := fmt.Sprintf("GET / HTTP/1.1\r\nHost:%s\r\nConnection: close\r\n\r\n", config.ServerName)
getRequest := fmt.Sprintf("GET / HTTP/1.1\r\nHost:%s\r\nConnection: close\r\n\r\n", tlsconfig.ServerName)
_, err = tlsConn.Write([]byte(getRequest))
if err != nil {
err = conn.handleError(err)
Expand Down
1 change: 1 addition & 0 deletions examples/http-fuzz-input.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@
14,false
15,true
16,false
17,false
1 change: 1 addition & 0 deletions examples/https-fuzz-input.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
6,false
7,true
8,false
9,false
33 changes: 31 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/censoredplanet/CenFuzz

go 1.16
go 1.21.5

require (
cloud.google.com/go/bigquery v1.42.0
Expand All @@ -10,5 +10,34 @@ require (
github.com/libp2p/go-reuseport v0.2.0
github.com/mxschmitt/golang-combinations v1.1.0
github.com/oschwald/geoip2-golang v1.8.0
github.com/refraction-networking/utls v1.1.2
github.com/refraction-networking/utls v1.6.2
)

require (
cloud.google.com/go v0.102.1 // indirect
cloud.google.com/go/compute v1.7.0 // indirect
cloud.google.com/go/iam v0.3.0 // indirect
github.com/andybalholm/brotli v1.0.6 // indirect
github.com/cloudflare/circl v1.3.7 // indirect
github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
github.com/googleapis/gax-go/v2 v2.5.1 // indirect
github.com/kaorimatz/go-mrt v0.0.0-20210326003454-aa11f3646f93 // indirect
github.com/klauspost/compress v1.17.4 // indirect
github.com/oschwald/maxminddb-golang v1.10.0 // indirect
github.com/quic-go/quic-go v0.40.1 // indirect
go.opencensus.io v0.23.0 // indirect
golang.org/x/crypto v0.18.0 // indirect
golang.org/x/net v0.20.0 // indirect
golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
google.golang.org/api v0.95.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220914142337-ca0e39ece12f // indirect
google.golang.org/grpc v1.48.0 // indirect
google.golang.org/protobuf v1.28.1 // indirect
)
Loading