Lets imagine we have a target node <pfx:target>HelloWorld</pfx:target> below are how each of the different fuzzing techniques would change this string. If the fuzzing technique does not depend on a Range , then every input corresponds to one output. If the fuzzing technique depends on a Range (whether specified or not), then every input corresponds to an output for every position in the range. In the examples below if the range is large some of the outputs have been removed for brevity (indicated by ...). Note, the string used to create long strings cannot be changed via the UI, if you want to use a different string from the default which is "a", then you need to open the configuration file called SimpleTypeFuzzerConfig.xml in your project directory and change the value of the LengthRepetitionString node. Replace with long strings Input
| Output
| Example States
| 0
| <pfx:target></pfx:target> | pfx-target-0-StringLength-0
| 1
| <pfx:target>a</pfx:target> | pfx-target-0-StringLength-1
| 2
| <pfx:target>aa</pfx:target> | pfx-target-0-StringLength-2
| 10
| <pfx:target>aaaaaaaaaa</pfx:target> | pfx-target-0-StringLength-3
| 20
| <pfx:target>aaaaaaaaaaaaaaaaaaaa</pfx:target> | pfx-target-0-StringLength-4
|
Insert Long Strings No Range Input
| Output
| Example States | 1 5
| <pfx:target>aHelloWorld</pfx:target> <pfx:target>aaaaaHelloWorld</pfx:target> <pfx:target>HaelloWorld</pfx:target> <pfx:target>HaaaaaelloWorld</pfx:target> ... <pfx:target>HelloWorlda</pfx:target> <pfx:target>HelloWorldaaaaa</pfx:target> | pfx-target-0-InsertStringLength-0 pfx-target-0-InsertStringLength-1 pfx-target-0-InsertStringLength-2 pfx-target-0-InsertStringLength-3 ... pfx-target-0-InsertStringLength-20 pfx-target-0-InsertStringLength-21 |
Range: Start Index = 5, Step Size = 1, Length = 3 Input
| Output
| Example States | 1 5
| <pfx:target>HelloaWorld</pfx:target> <pfx:target>HelloaaaaaWorld</pfx:target> <pfx:target>HelloWaorld</pfx:target> <pfx:target>HelloWaaaaaorld</pfx:target> <pfx:target>HelloWoarld</pfx:target> <pfx:target>HelloWoaaaaarld</pfx:target> | pfx-target-0-InsertStringLength-10 pfx-target-0-InsertStringLength-11 pfx-target-0-InsertStringLength-12 pfx-target-0-InsertStringLength-13 pfx-target-0-InsertStringLength-14 pfx-target-0-InsertStringLength-15 |
Range: Start Index = 3, Step Size = 3, Length = 10 Input
| Output
| Example States | 1 5
| <pfx:target>HelaloWorld</pfx:target> <pfx:target>HelaaaaaloWorld</pfx:target> <pfx:target>HelloWaorld</pfx:target> <pfx:target>HelloWaaaaaorld</pfx:target> <pfx:target>HelloWorlad</pfx:target> <pfx:target>HelloWorlaaaaad</pfx:target> | pfx-target-0-InsertStringLength-6 pfx-target-0-InsertStringLength-7 pfx-target-0-InsertStringLength-12 pfx-target-0-InsertStringLength-13 pfx-target-0-InsertStringLength-18 pfx-target-0-InsertStringLength-19 |
Insert long strings to length No Range Input
| Output
| Example States | 1 15
| <pfx:target>aaaaaHelloWorld</pfx:target> <pfx:target>HaaaaaelloWorld</pfx:target> <pfx:target>HeaaaaalloWorld</pfx:target> <pfx:target>HelaaaaaloWorld</pfx:target> ... <pfx:target>HelloWorldaaaaa</pfx:target>
| pfx-target-0-InsertTotalStringLength-1 pfx-target-0-InsertTotalStringLength-3 pfx-target-0-InsertTotalStringLength-5 pfx-target-0-InsertTotalStringLength-7 ... pfx-target-0-InsertTotalStringLength-21 |
(Note, since the value 1 is shorter than the length of the string it is completely ignored. This can be seen in the Example States which have a fuzz index which skips every 2nd number) Range: Start Index = 5, Step Size = 1, Length = 3 Input
| Output
| Example States | 1 15
| <pfx:target>HelloaaaaaWorld</pfx:target> <pfx:target>HelloWaaaaaorld</pfx:target> <pfx:target>HelloWoaaaaarld</pfx:target> | pfx-target-0-InsertTotalStringLength-11 pfx-target-0-InsertTotalStringLength-13 pfx-target-0-InsertTotalStringLength-15 |
Replace strings Input
| Output
| Example States
| orange
| <pfx:target>orange</pfx:target>
| pfx-target-0-ReplaceString-0
| blue
| <pfx:target>blue</pfx:target> | pfx-target-0-ReplaceString-1
| purple
| <pfx:target>purple</pfx:target> | pfx-target-0-ReplaceString-2
| 3
| <pfx:target>3</pfx:target> | pfx-target-0-ReplaceString-3
| !"£$$"
| <pfx:target>!"£$$"</pfx:target> | pfx-target-0-ReplaceString-4
|
Insert strings No Range Input
| Output
| Example States | %s \\
| <pfx:target>%sHelloWorld</pfx:target> <pfx:target>\\HelloWorld</pfx:target> <pfx:target>H%selloWorld</pfx:target> <pfx:target>H\\elloWorld</pfx:target> ... <pfx:target>HelloWorld%s</pfx:target> <pfx:target>HelloWorld\\</pfx:target> | pfx-target-0-InsertString-0 pfx-target-0-InsertString-1 pfx-target-0-InsertString-2 pfx-target-0-InsertString-3 ... pfx-target-0-InsertString-20 pfx-target-0-InsertString-21 |
Range: Start Index = 5, Step Size = 1, Length = 3 Input
| Output
| Example States | %s 5
| <pfx:target>Hello%sWorld</pfx:target> <pfx:target>Hello5World</pfx:target> <pfx:target>HelloW%sorld</pfx:target> <pfx:target>HelloW5orld</pfx:target> <pfx:target>HelloWo%srld</pfx:target> <pfx:target>HelloWo5rld</pfx:target> | pfx-target-0-InsertString-10 pfx-target-0-InsertString-11 pfx-target-0-InsertString-12 pfx-target-0-InsertString-13 pfx-target-0-InsertString-14 pfx-target-0-InsertString-15 |
Encode strings Encode string acts like replace string, except instead of replacing the string with the value specified, it replaces it with the value specified encoded in each of the following formats: ○ ASCII ○ UTF7 ○ UTF8 ○ UTF8 with BOM ○ UTF16 Little Endian ○ UTF16 Big Endian ○ UTF32 Little Endian ○ UTF32 Big Endian
The fuzzer does not encode the value in the actual output format i.e. if the output format is UTF8 it will not output the value in that encoding
|