furlzz is a small fuzzer written to test out iOS URL schemes.
It does so by attaching to the application using Frida and based on the input/seed it mutates the data
and tries to open the mutated URL. furlzz works in-process, meaning you aren't actually opening
the URL using apps such as SpringBoard. furlzz supports universal links which are being used with
scene:continueUserActivity
and application:continueUserActivity
. On some applications it is worth trying to use app
as method for custom links, because that
can work as well.
Download prebuilt binaries from here or do it manually.
To manually install furlzz, do:
- Follow the instructions for devkit documented here
- Run
go install github.com/nsecho/furlzz@latest
Simply run the binary with corresponding flags with either attaching over USB or on over the network with -n
flag.
$ furlzz fuzz --help
Fuzz URL scheme
Usage:
furlzz fuzz [flags]
Flags:
-a, --app string Application name to attach to (default "Gadget")
-b, --base string base URL to fuzz
-c, --crash ignore previous crashes
-d, --delegate string if the method is scene_activity, you need to specify UISceneDelegate class
-f, --function string apply the function to mutated input (url, base64)
-h, --help help for fuzz
-i, --input string path to input directory
-m, --method string method of opening url (delegate, app) (default "delegate")
-n, --network string Connect to remote network device (default is "USB")
-r, --runs uint number of runs
-s, --scene string scene class name
-t, --timeout uint sleep X seconds between each case (default 1)
-u, --uiapp string UIApplication name
Starting from 2.5.0
, furlzz now can be run inside of Docker container, for full details visit Dockerfile.md
for documentation.
There are basically two ways you can go with fuzzing using furlzz
:
- give base URL (
--base
) withFUZZ
keyword in it along with--input
directory containing inputs - just give base URL without
FUZZ
keyword which would fuzz the raw base url passed (less efficient)
furlzz supports two post-process methods right now; url and base64. The first one does URL encode on the mutated input while the second one generates base64 from it.
- Figure out the method of opening URLs inside the application (with
frida-trace
for example) - Find out base url
- Create some inputs
- Pass the flags to
furlzz fuzz
- Most of the time, values have to be URL encoded, so use
--function url
- Adjust timeout if you would like to go with slower fuzzing
- If the crash happen, replay it with
furlzz crash
passing created session and crash files
insert
- inserts random byte at random location inside the inputdel
- deletes random bytesubstitute
- substitute byte at random position with random bytebyteOp
- takes random byte and random position inside the string and do arithmetic operation on them (+, -, *, /)duplicateRange
- duplicates random range inside the original string random number of timesbitFlip
- flips the bit at random position inside random location inside inputbitmask
- applies random bitmask on random location inside the stringduplicate
- duplicates original string random number of times (2 < 10)multiple
- run other mutations random number of times
Right now furlzz supports a couple of methods of opening URLs:
delegate
when the application uses-[AppDelegate application:openURL:options:]
app
when the application is using-[UIApplication openURL:]
scene_activity
- when the application is using-[UISceneDelegate scene:continueUserActivity]
- Universal Linksscene_context
when the application is using-[UISceneDelegate scene:openURLContexts:]
delegate_activity
when the application is using-[AppDelegate application:continueUserActivity:restorationHandler]
- Universal Links
- For the method of
scene_activity
you need to pass theUISceneDelegate
class name - For the method of
delegate
you need to pass theAppDelegate
class name - For the method of
scene_context
you need to passUISceneDelegate
class name - For the method of
delegate_activity
you need to passAppDelegate
class name
PRs are more than welcome to extend any functionality inside the furlzz