SaaSHub helps you find the best software and product alternatives Learn more →
Top 23 Fuzzing Open-Source Projects
-
Awesome-Hacking
A collection of various awesome lists for hackers, pentesters and security researchers
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
foundry
Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.
-
reconftw
reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
Awesome-Fuzzing
A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.
-
AFLplusplus
The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
-
dnstwist
Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation
-
IntruderPayloads
A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
-
honggfuzz
Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage (SW and HW based)
-
awesome-api-security
A collection of awesome API Security tools and resources. The focus goes to open-source tools and resources that benefit all the community.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
8. Security Knowledge Base: - Utilize resources like The-book-of-secret-knowledge (e.g., https://github.com/trimstray/the-book-of-secret-knowledge) and Awesome-Hacking (e.g., https://github.com/Hack-with-Github/Awesome-Hacking) to build a knowledge base. - Extract relevant security information and create a structured knowledge base within SecurIoT. - Implement functionality to query and retrieve security information from the knowledge base. - Thoroughly test the knowledge base integration, ensuring accurate retrieval of security knowledge.
I am new to Python. With the help of several users (thanks u/Diapolo10 and u/shiftybyte)I've been able to install Python and the dirsearch package. Dirsearch (https://github.com/maurosoria/dirsearch) allows for checking website paths with a wordlist. For example, I have a wordlist file with words like "dog", "cat", "bird", etc and I want to check the validity of those words as extensions on a website. Something like "example.com/bird", "example.com/cat", etc. I have a test wordlist in the same directory as dirsearch, but I am confused on how to proceed with the commands. I want to have it check my wordlist as extensions on the example.com website and then save output on if the webpath is valid or not. Just need a little bit of help.
Project mention: SableDb – a key/value store that uses RocksDB and Redis API (written in Rust) | news.ycombinator.com | 2024-04-04a few times, seems interesting. The author's also built a lot of other cool concurrency primitives for Rust as well.
[0] https://github.com/spacejam/sled
Project mention: Fuzzing Ladybird with tools from Google Project Zero | news.ycombinator.com | 2024-03-16https://github.com/google/clusterfuzz
At least Chromium has integrated multiple different fuzzers into their regular development workflow and found lots of bugs even before going public.
Project mention: Automated Unit Test Improvement Using Large Language Models at Meta | news.ycombinator.com | 2024-02-17https://arxiv.org/abs/2402.09171 :
> This paper describes Meta's TestGen-LLM tool, which uses LLMs to automatically improve existing human-written tests. TestGen-LLM verifies that its generated test classes successfully clear a set of filters that assure measurable improvement over the original test suite, thereby eliminating problems due to LLM hallucination. [...] We believe this is the first report on industrial scale deployment of LLM-generated code backed by such assurances of code improvement.
Coverage-guided unit test improvement might [with LLMs] be efficient too.
https://github.com/topics/coverage-guided-fuzzing :
- e.g. Google/syzkaller is a coverage-guided syscall fuzzer: https://github.com/google/syzkaller
- Gitlab CI supports coverage-guided fuzzing: https://docs.gitlab.com/ee/user/application_security/coverag...
- oss-fuzz, osv
Additional ways to improve tests:
Hypothesis and pynguin generate tests from type annotations.
There are various tools to generate type annotations for Python code;
> pytype (Google) [1], PyAnnotate (Dropbox) [2], and MonkeyType (Instagram) [3] all do dynamic / runtime PEP-484 type annotation type inference [4] to generate type annotations. https://news.ycombinator.com/item?id=39139198
icontract-hypothesis generates tests from icontract DbC Design by Contract type, value, and invariance constraints specified as precondition and postcondition @decorators:
I used this method successfully for my qjson package . It accepts as input a human readable json. It detected a condition I forgot to check in a few minutes. I used the go fuzzer go-fuzz from Dmitry Vyukov. Check the impressive list of trophies at the end of the README. These are bugs found by the fuzzer.
Project mention: Decoding C/C++ Compilation Process: From Source Code to Binary | /r/cpp | 2023-06-08It could be cool to see some explanation of CFG representations or GIMPLE/LLVM here. GCC/Clang can print those out as text, or just compile to that code and not go lower if you ask them to. There are some interesting things you can do with bytecode, like Rellic, AFL++, or optview2. It seems a bit reductive imo to go straight from high-level code to disassembly without at all examining any layers in between. Especially if we use something like Polygeist or CIR.
Libraries like JSVerify or Fast-Check offer essential tools to facilitate property-based testing.
Project mention: Gaining kernel code execution on an MTE-enabled Pixel 8 | news.ycombinator.com | 2024-03-18This work comes from GitHub's Security Lab https://securitylab.github.com/
Fuzzing related posts
- Xz: Disable ifunc to fix Issue 60259
- Ask HN: Any Good Fuzzer for gRPC?
- Gaining kernel code execution on an MTE-enabled Pixel 8
- Fuzzing Ladybird with tools from Google Project Zero
- CS 6120: Advanced Compilers: The Self-Guided Online Course
- Automated Unit Test Improvement Using Large Language Models at Meta
- Hypothesis
-
A note from our sponsor - SaaSHub
www.saashub.com | 23 Apr 2024
Index
What are some of the best open-source Fuzzing projects? This list will help you:
Project | Stars | |
---|---|---|
1 | Awesome-Hacking | 77,002 |
2 | dirsearch | 11,213 |
3 | oss-fuzz | 9,879 |
4 | sled | 7,736 |
5 | foundry | 7,530 |
6 | hypothesis | 7,254 |
7 | reconftw | 5,231 |
8 | clusterfuzz | 5,200 |
9 | syzkaller | 5,116 |
10 | Awesome-Fuzzing | 5,064 |
11 | go-fuzz | 4,704 |
12 | AFLplusplus | 4,620 |
13 | dnstwist | 4,508 |
14 | fast-check | 4,099 |
15 | IntruderPayloads | 3,526 |
16 | Raccoon | 2,993 |
17 | honggfuzz | 2,974 |
18 | awesome-api-security | 2,720 |
19 | testing-distributed-systems | 2,386 |
20 | OneListForAll | 2,332 |
21 | Fuzzing101 | 2,269 |
22 | FuzzingPaper | 2,242 |
23 | winafl | 2,234 |
Sponsored