feat: add xss, cmdi, and path traversal fuzzers

Author: dogancanbakir

pirebok/fuzzers/__init__.py

@@ -1,10 +1,20 @@
+from .cmdi.guided_random_cmdi_fuzzer import GuidedRandomCmdiFuzzer
+from .cmdi.random_cmdi_fuzzer import RandomCmdiFuzzer
+from .cmdi_fuzzer import CmdiFuzzer
 from .fuzzer import Fuzzer
 from .fuzzer_builder import FuzzerBuilder
 from .fuzzer_transformer_resolver_visitor import FuzzerTransformerResolverVisitor
 from .fuzzer_visitor import FuzzerVisitor
 from .generic.random_generic_fuzzer import RandomGenericFuzzer
 from .generic_fuzzer import GenericFuzzer
+from .guided_fuzzer_mixin import GuidedFuzzerMixin
+from .path_traversal.guided_random_path_traversal_fuzzer import GuidedRandomPathTraversalFuzzer
+from .path_traversal.random_path_traversal_fuzzer import RandomPathTraversalFuzzer
+from .path_traversal_fuzzer import PathTraversalFuzzer
 from .payload_pool import PayloadPool
 from .sql.guided_random_sql_fuzzer import GuidedRandomSqlFuzzer
 from .sql.random_sql_fuzzer import RandomSqlFuzzer
 from .sql_fuzzer import SqlFuzzer
+from .xss.guided_random_xss_fuzzer import GuidedRandomXssFuzzer
+from .xss.random_xss_fuzzer import RandomXssFuzzer
+from .xss_fuzzer import XssFuzzer

pirebok/fuzzers/cmdi/__init__.py

@@ -0,0 +1 @@
+

pirebok/fuzzers/cmdi/guided_random_cmdi_fuzzer.py

@@ -0,0 +1,20 @@
+from typing import Sequence
+
+from pirebok.fuzzers.cmdi_fuzzer import CmdiFuzzer
+from pirebok.fuzzers.fuzzer_visitor import FuzzerVisitor
+from pirebok.fuzzers.guided_fuzzer_mixin import GuidedFuzzerMixin
+from pirebok.transformers import Transformer
+
+
+class GuidedRandomCmdiFuzzer(GuidedFuzzerMixin, CmdiFuzzer):
+    _target_class = "cmdi"
+
+    def __init__(self, transformers: Sequence[Transformer]) -> None:
+        super().__init__(transformers)
+        self.threshold: float
+        self.max_rounds: int = 100
+        self.round_size: int = 20
+        self.timeout: int = 0
+
+    def accept(self, visitor: FuzzerVisitor) -> None:
+        visitor.visit_cmdi(self)

pirebok/fuzzers/cmdi/random_cmdi_fuzzer.py

@@ -0,0 +1,12 @@
+import random
+
+from pirebok.fuzzers.cmdi_fuzzer import CmdiFuzzer
+from pirebok.fuzzers.fuzzer_visitor import FuzzerVisitor
+
+
+class RandomCmdiFuzzer(CmdiFuzzer):
+    def fuzz(self, payload: str) -> str:
+        return random.choice(self.transformers).transform(payload)
+
+    def accept(self, visitor: FuzzerVisitor) -> None:
+        visitor.visit_cmdi(self)

pirebok/fuzzers/cmdi_fuzzer.py

@@ -0,0 +1,5 @@
+from pirebok.fuzzers.fuzzer import Fuzzer
+
+
+class CmdiFuzzer(Fuzzer):
+    pass

pirebok/fuzzers/fuzzer_transformer_resolver_visitor.py

@@ -2,10 +2,20 @@
 from operator import iconcat
 from typing import Sequence
 
+from pirebok.fuzzers.cmdi_fuzzer import CmdiFuzzer
 from pirebok.fuzzers.fuzzer_visitor import FuzzerVisitor
 from pirebok.fuzzers.generic_fuzzer import GenericFuzzer
+from pirebok.fuzzers.path_traversal_fuzzer import PathTraversalFuzzer
 from pirebok.fuzzers.sql_fuzzer import SqlFuzzer
-from pirebok.transformers import GenericTransformer, SqlTransformer, Transformer
+from pirebok.fuzzers.xss_fuzzer import XssFuzzer
+from pirebok.transformers import (
+    CmdiTransformer,
+    GenericTransformer,
+    PathTraversalTransformer,
+    SqlTransformer,
+    Transformer,
+    XssTransformer,
+)
 
 
 class FuzzerTransformerResolverVisitor(FuzzerVisitor):
@@ -23,3 +33,33 @@ def visit_sql(self, fuzzer: SqlFuzzer) -> None:
             ],
             [],
         )
+
+    def visit_xss(self, fuzzer: XssFuzzer) -> None:
+        self.transformers = reduce(
+            iconcat,
+            [
+                list(map(lambda x: x(), XssTransformer.__subclasses__())),  # type: ignore
+                list(map(lambda x: x(), GenericTransformer.__subclasses__())),  # type: ignore
+            ],
+            [],
+        )
+
+    def visit_cmdi(self, fuzzer: CmdiFuzzer) -> None:
+        self.transformers = reduce(
+            iconcat,
+            [
+                list(map(lambda x: x(), CmdiTransformer.__subclasses__())),  # type: ignore
+                list(map(lambda x: x(), GenericTransformer.__subclasses__())),  # type: ignore
+            ],
+            [],
+        )
+
+    def visit_path_traversal(self, fuzzer: PathTraversalFuzzer) -> None:
+        self.transformers = reduce(
+            iconcat,
+            [
+                list(map(lambda x: x(), PathTraversalTransformer.__subclasses__())),  # type: ignore
+                list(map(lambda x: x(), GenericTransformer.__subclasses__())),  # type: ignore
+            ],
+            [],
+        )

pirebok/fuzzers/fuzzer_visitor.py

@@ -1,7 +1,10 @@
 from abc import ABC, abstractmethod
 
+from pirebok.fuzzers.cmdi_fuzzer import CmdiFuzzer
 from pirebok.fuzzers.generic_fuzzer import GenericFuzzer
+from pirebok.fuzzers.path_traversal_fuzzer import PathTraversalFuzzer
 from pirebok.fuzzers.sql_fuzzer import SqlFuzzer
+from pirebok.fuzzers.xss_fuzzer import XssFuzzer
 
 
 class FuzzerVisitor(ABC):
@@ -12,3 +15,15 @@ def visit_generic(self, fuzzer: GenericFuzzer) -> None:
     @abstractmethod
     def visit_sql(self, fuzzer: SqlFuzzer) -> None:
         pass
+
+    @abstractmethod
+    def visit_xss(self, fuzzer: XssFuzzer) -> None:
+        pass
+
+    @abstractmethod
+    def visit_cmdi(self, fuzzer: CmdiFuzzer) -> None:
+        pass
+
+    @abstractmethod
+    def visit_path_traversal(self, fuzzer: PathTraversalFuzzer) -> None:
+        pass

pirebok/fuzzers/guided_fuzzer_mixin.py

@@ -0,0 +1,57 @@
+import random
+import time
+from typing import Sequence
+
+from pirebok.fuzzers.payload_pool import PayloadPool
+from pirebok.transformers import Transformer
+
+
+class GuidedFuzzerMixin:
+    _target_class: str
+    transformers: Sequence[Transformer]
+    threshold: float
+    max_rounds: int
+    round_size: int
+    timeout: int
+
+    def _mutation_round(self, payload: str, round_size: int) -> set[str]:
+        return {random.choice(self.transformers).transform(payload) for _ in range(round_size)}
+
+    def fuzz(self, payload: str) -> str:
+        from metamaska.metamaska import Metamaska
+
+        metamask = Metamaska()
+        pool = PayloadPool()
+
+        cls, proba = metamask.form(payload, True)
+        confidence = proba if cls == self._target_class else 0.0
+        pool.push(confidence, payload)
+
+        best_confidence = confidence
+        best_payload = payload
+
+        deadline = (time.monotonic() + self.timeout) if self.timeout > 0 else 0.0
+
+        for _ in range(self.max_rounds):
+            if deadline and time.monotonic() >= deadline:
+                break
+            if best_confidence < self.threshold:
+                break
+            if not pool:
+                break
+
+            candidate_confidence, candidate = pool.pop()
+            mutations = self._mutation_round(candidate, self.round_size)
+
+            for mutated in mutations:
+                cls, proba = metamask.form(mutated, True)
+                mutation_confidence = proba if cls == self._target_class else 0.0
+                pool.push(mutation_confidence, mutated)
+
+                if mutation_confidence < best_confidence:
+                    best_confidence = mutation_confidence
+                    best_payload = mutated
+
+            pool.push(candidate_confidence, candidate)
+
+        return best_payload

pirebok/fuzzers/path_traversal/__init__.py

@@ -0,0 +1 @@
+

pirebok/fuzzers/path_traversal/guided_random_path_traversal_fuzzer.py

@@ -0,0 +1,20 @@
+from typing import Sequence
+
+from pirebok.fuzzers.fuzzer_visitor import FuzzerVisitor
+from pirebok.fuzzers.guided_fuzzer_mixin import GuidedFuzzerMixin
+from pirebok.fuzzers.path_traversal_fuzzer import PathTraversalFuzzer
+from pirebok.transformers import Transformer
+
+
+class GuidedRandomPathTraversalFuzzer(GuidedFuzzerMixin, PathTraversalFuzzer):
+    _target_class = "path-traversal"
+
+    def __init__(self, transformers: Sequence[Transformer]) -> None:
+        super().__init__(transformers)
+        self.threshold: float
+        self.max_rounds: int = 100
+        self.round_size: int = 20
+        self.timeout: int = 0
+
+    def accept(self, visitor: FuzzerVisitor) -> None:
+        visitor.visit_path_traversal(self)