8

I want to fuzz-test a XML-parser and wonder if there are some appropriate fuzzers.
It would be nice not only generate random garbage, but take advantages of existing schema specification like XSD or DTD.

p4553d
  • 818
  • 1
  • 7
  • 17
  • Voting to close as off-topic: "Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it." – dzieciou Feb 18 '16 at 11:18

3 Answers3

7

Following are some XML fuzzers that I chanced upon, during a search several months back:

  • untidy. This is does not appear to be in active development, with the last update in 2007. (Project no longer available on Sourceforge, for posterity see archive.org for partial content, and packetstorm for download. It was added to Peach-1.0, but no longer appears in the Peach-3.1 Community Edition source at all).
  • Fuzzware. Appears to have decent support for XSD based fuzzing.
  • Peach. The Peach fuzzer project will aid in you in generating valid XML files, but will probably not be of much help if you want to fuzz the parser instead of the application using the parser. It is certainly worth a try, but be forewarned that creating a data model can be a cumbersome process if you are not aware of the various structures in XML. The related project HotFuzz is also worth mentioning here.
  • JBroFuzz. This is quite actively developed. I couldn't find any tutorial describing it's XML (and SOAP) fuzzing capabilities. You might be helped by the fact that it can be used as a fuzzing library alone.
  • Codenomicon Defensics for XML. This is a commercial fuzzer. Disclaimer: I have evaluated Defensics in the past, and have found it suitable for various purposes. The XML parser alone can be fuzzed using various techniques - you may feed it files generated by the fuzzer, or issue HTTP requests etc. Do keep in mind that different approaches will have to be used if you need to fuzz your application instead of the parser; Defensics will aid in selecting the various classes of inputs that you want in the fuzz inputs, so that you can target your parser, or your application or both.
mr.spuratic
  • 9,767
  • 3
  • 34
  • 24
Vineet Reynolds
  • 76,006
  • 17
  • 150
  • 174
3

This might be what you consider "garbage generator", but I'll ask you to check it out anyhow.

Radamsa from Oulu University Secure Programming Group is free general purpose fuzzer. You can get fuzzing with it really easily. Give it some example files and Radamsa generates fuzzed files for you.

The different fuzzers included can do from simple bit flips to complex learning of the structure and fuzzing it.

The code can be found from Google Code.

oherrala
  • 701
  • 4
  • 10
1

american fuzzy lop might be a good choice here. It employs a genetic algorithm that will learn how to induce new code paths in your program and come up with test cases that maximize coverage.

d33tah
  • 10,999
  • 13
  • 68
  • 158
  • AFL has mutation strategies that are a good fit for binary formats, but not for XML. However, you can write a custom mutator for XML as described in https://census-labs.com/media/choronzon-zeronights-2015.pdf and plug it into libfuzzer, honggfuzz or Mozilla's fork of AFL that also supports custom mutators. – Shnatsel Dec 14 '18 at 21:12
  • @Shnatsel is there anything specific about XML that makes AFL not work well with it? IIRC SQLite was fuzzed pretty well with AFL even before the introduction of language tokens feature. With the feature, it should be even easier to fuzz the parser. – d33tah Dec 15 '18 at 10:48
  • It's a verbose textual format that depends on lots of very specific bytes being put in very specific places (e.g. a full valid tag, or even a matching pair of opening and closing tags). AFL's mutation strategies are well suited for binary data but do not handle such formats well: stuff like "flip bits" does not do much, but moving attributes between tags would have discovered new states. Choronzon has proven this experimentally. However, if you want to use AFL to fuzz XML, you could write your own XML-aware mutator, as was done for Choronzon. – Shnatsel Dec 15 '18 at 12:01