Introducing Shazzer: A shared online fuzzer

I lost inspiration for coding a while ago and had this idea I was sitting on for a while, I’m often stuck at the design stage before I write a line of code and I will refuse to continue without a clear picture in my head on how an app is going to work. After the Christmas break I got my inspiration back and started to formulate pretty quickly how Shazzer might work. Once I was happy with the design then I started to code it pretty quickly, it was like a jigsaw and everything just fitted nicely together.

So what the hell is it I hear you ask? Shazzer allows you to perform client based fuzzing and share the results with the world. It scans from 0-100000 characters in a couple of seconds (depending on the vector) and allows you to build different vectors and preparation code. When you think about fuzzing especially about behaviour based fuzzing, there are too many combinations for you to handle on your own. You need to scan every browser version, every os, every charset, every doc mode (for ie) and so on, it’s an impossible amount of data to get through especially when time is limited. At the moment it’s limited to one character mutation and designed for behaviour based fuzzing rather than finding crashes (that will come later).

Shazzer is useful in asking simple questions, for example “What characters are allowed after an attribute name in IE9.0?“. The idea is to construct clever vectors that discover this information and then use your browser to scan the information and ask your friends or colleagues to scan using their browser. The end goal is then to use this information to file bugs, find holes in HTML filters or simply to discover the differences between the various browser versions.

Constructing a vector

To make your own vectors the first thing you need to do is search to see if the vector your are looking for already exists there’s no point reinventing the wheel. Then hit create (after you’ve logged in). The description should be clear and concise and no more than 50 characters, also consider it will be the url of your vector so keep it short and to the point. Keywords allow you to assign search terms for your vector, include any keywords that you think are relevant to your vector such as “anchor, XSS, href” if you are checking the anchor href for different characters. The preparation code allows to modify how the logging works, for JS execution vectors you shouldn’t need to modify this but for HTML/CSS based checks you should modify it to detect if the vector was successful. Consider the following example:

<span id="fuzzelement*num*" style="*chr*color:#000;">>/span>

Here the vector wants to check what characters are allowed before the property “color” in CSS but as this vector doesn’t execute JavaScript you will have to manually check each vector. You do this by modifying the preparation code just below the start of the complete function. Like so:


for(var i=from;i<to;i++) {
try { if(document.getElementById('fuzzelement'+i).style.color.length) {
ids.push(i);
}
}catch(e){}
}

This script takes advantage of the predefined global variables of the fuzzer “from” is where Shazzer is starting from such as “0″ or “10000″ and to is the ending range it’s scanning. Then we check if the color property has been set on the target element and if so add the chr number to the ids. The try catch block stops the fuzz script from breaking if the object doesn’t exist.

For the most part you shouldn’t have to modify the preparation code and mainly you just work on adding new vectors. Vectors work using placeholders *chr* indicates the character and *num* is the character code. If we use the “characters after attribute” as an example from earlier, you simply create some HTML that executes the log and place the *chr* where you want to check. For example:


`"'><img src=1 onerror*chr*=log(*num*)>

At the beginning of the example you will notice that there are quotes and a closing “>” this is to prevent the vectors from overlapping when an attribute is constructed from the fuzz data. The character we are fuzzing appears after onerror and is indicated by *chr*, when the onerror executes the log function is called which is predefined in the preparation code and the argument sent is the character code indicated by *num* this vector will now work on any browser or charset or range etc that any user chooses and allow you to see the result :)

Fuzzing Samples

Here are a few examples for you to play with:
Characters allowed before a JavaScript function
Characters that close a HTML comment

Have a go with Shazzer yourself and have fun!

3 Responses to “Introducing Shazzer: A shared online fuzzer”

  1. Chris Weber writes:

    This looks awesome! I had a similar test harness a few years back to perform character mutations around attributes, tags, and such to produce some results like http://www.lookout.net/2008/08/26/advisory-attack-of-the-mongolian-space-evaders-and-other-medieval-xss-vectors/

    Shazzer looks very promising, and should provide us with lots of fun :-).

  2. Gareth Heyes writes:

    Thanks Chris! Yeah I remember that bug of yours it’s probably when I subscribed to your blog

  3. Daniel Maslowski writes:

    Thank you for presenting shazzer to us at @HackPra. I was actually not yet expecting to hear much about it when I recently read this post here, but you did really well! I will see if I can contribute somehow, someday.