1# Injection fuzzing 2 3Coverage guided fuzzing so far is only able to detect crashes, so usually 4memory corruption issues, or - if implemented by hand in the harness - 5invariants. 6 7This is a proof-of-concept implementation to additionally hunt for injection 8vulnerabilities. 9It works by instrumenting calls to specific functions and parsing the 10query parameter for a specific unescaped dictionary string, and if detected, 11crashes the target. 12 13This has a very low false positive rate. 14But obviously this can only find injection vulnerailities that are suspectible 15to this specific (but most common) issue. Hence in a rare kind of injection 16vulnerability this won't find the bug - and be a false negative. 17But this can be tweaked by the user - see the HOW TO MODIFY section below. 18 19## How to use 20 21Set one or more of the following environment variables for **compiling** 22the target and - *this is important* - when **fuzzing** the target: 23 24 - `AFL_LLVM_INJECTIONS_SQL` 25 - `AFL_LLVM_INJECTIONS_LDAP` 26 - `AFL_LLVM_INJECTIONS_XSS` 27 28Alternatively you can set `AFL_LLVM_INJECTIONS_ALL` to enable all. 29 30## How to modify 31 32If you want to add more fuctions to check for e.g. SQL injections: 33Add these to `instrumentation/injection-pass.cc` and recompile. 34 35If you want to test for more injection inputs: 36Add the dictionary tokens to `src/afl-fuzz.c` and the check for them to 37`instrumentation/afl-compiler-rt.o.c`. 38 39If you want to add new injection targets: 40You will have to edit all three files. 41 42Just search for: 43``` 44// Marker: ADD_TO_INJECTIONS 45``` 46in the files to see where this needs to be added. 47 48**NOTE:** pull requests to improve this feature are highly welcome :-) 49