Funzz
Automatic Fuzzing of Hapi.js
Slides @ http://bit.ly/2XfCamL
Change Theme: White - Sky - Beige - Simple - Serif - Night - Default
About Me
Yoni Jah
- Software Engineer @ Lyntel electronics
- https://ca.non.co.il
- https://www.github.com/yonjah/funzz
Funzz Automatic Fuzzing of Hapi.js
- Fuzzing
- Node / JavaScript
- hapi
- Funzz
Domains and emails
non.co.il
Fuzzing
Automated software testing technique that involves providing invalid, unexpected, or random data as inputs
wikipedia
Pros
- Easy to implement
- Black box testing
- Cost effective
Cons
- Slow
- Noisy
- Not as effective
- Can be destructive
Common Tools
ZAP
Burp
Node.js
- The most popular framework SO
- Javascript
- Chrome V8
- Runs everywhere
JavaScript
The most popular language
SO, GitHubPros
- The best language in the world
cons
- The worst language in the world
JavaScript
Pros
- Native to browsers
- Open source by nature
- Powerful, flexible
- Async
- Excellent tools (testing, debugging, ci/cd, linting)
- Quick to evolve
cons
- Has a lot of bad parts
- Took time to mature
- No breaking changes
Node.js / JavaScript
npm
Packages
modulecounts
Downloads
Laurie Voss
hapi.js
Framework download stats
npmhapi.js
hapi VS Express
- Batteries included
- High learning curve
- Security features
- No external dependencies
- Minimal
- Low learning curve
hapi.js
joi
hapi input validator
Joi.object({
name: Joi.string().min(1).max(10).required(),
age: Joi.number().integer().min(0).max(150),
email: Joi.string().email(),
phone: Joi.string().regex(/\+?[\d() -]/)
}).or('email', 'phone');
hapi.js
joi
{
email: '[email protected]',
name: 'I63',
age: 54
}
{
phone: '+5726-))7542(0806 861734)9)605033552)2168)6-5-86587776 5 5723(',
name: ']BgT',
age: 15,
email: '[email protected]'
}
Funzz
Core features
- joi scehma fuzzer (Juzz)
- Automatic route and schema detection
- Integration with with test framework (Mocha, Lab)
Funzz
Code example
server.route({ method: 'POST', path: '/login',
handler: ({payload}, h) => {
const users = {user: 'superSecurePassword'};
const {username, password} = payload;
if (users[username] == password) {
h.state('loggedin', Buffer.from(users[username]).toString('base64'));
return 'OK';
}
return h.response('Bad user').code(401);
},
config: {
validate: {
payload: { password: Joi.string(), username: Joi.string()},
query: false
}
}
});
Funzz
Code example
const server = require('./server.js');
const Funzz = require('funzz');
Funzz(server);
Funzz
Code example
Failed calling route with data:
{"path":"/login","method":"post","query":{},"payload":{"username":"Uf1^p65cx)o9&swx@J!9XwnfUermKrJUPcr)*YQLIkgUfc%1qjkKy#br$3CIV!N!7ETMD@KXod*KN(5848z1I98S8W7QF@X$GYs&ie#KQEk#JrnMN1NOH0lE@9f)VER&Ga)z4kenjYTXO9g9s7%!hO^LQU%KqoWvyawprAkjQQG(1J6Q0vQPrTI3K[8(dJ*Z!rD^b(#fpVx2j%Ey]KB6PGmLM3$0hbGlsn2Nwzuah*4g*#eb!iCOz!$@Q^I30C9b#k)]u5hDp2LwhbBa*VFy4UkZdYqM&)1$kdNsW(#Z9D(Jb[vp(6ZWz)irvgGXsPTo6]UV(&Zq6GEJiQrN]hlk@Re0bct3OY63ld2@S0Lv*Vl@W2u]17r)[Rx08zMHan$UQ)bT%bfHmAlfLR4yTt)2Z[5IWi06UqOQrWZ*d2r[YeIoSKFW9txdoBH*LdED6A0j[vJ7]KY5yuOE8oHQERl@wNoJzq#6b3RstBi(vOpXB7kqt@EN^Cv@Yfho1)Mh&nvmlaP98Gtd2[l&pd*ybHHoY5qv*6k)L4Y[JqH*fD!)^[0NIR0g5nTIc(f135k7(FS[6N)MmqmyMs[L^wys&lhKSvVnMBN4%$9rr!XsW4h7*7viEr"}}
STATUS(500)
{"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred"}
TypeError [ERR_INVALID_ARG_TYPE]: The first argument must be one of type string, Buffer, ArrayBuffer, Array, or Array-like Object. Received type undefined
at Function.from (buffer.js:195:11)
at handler (/home/user/Documents/Funzz_Talk/server_01.js:12:40)
ValidationError: child "statusCode" fails because ["statusCode" must be less than 500]
Funzz
Advance Features
- Payloads
- Cookie / Auth injection
- Semi automatic
Funzz
Cons
- Very young and unstable
- Missing advance features
- White box only