FuzzPM

Differential Fuzzing for Perl Modules

---

Summary

FuzzPM demonstrates how to use differential fuzzing to perform automated, large-scale security analysis of modern Perl components. By comparing outputs from multiple modules against the same inputs, it helps uncover inconsistencies and potential vulnerabilities. For more details, read the full publication on: https://heitorgouvea.me/2021/12/08/Differential-Fuzzing-Perl-Libs.

---

Download and install

# Download
$ git clone https://github.com/htrgouvea/fuzzpm && cd fuzzpm

# Install libs and dependencies
$ cpanm --installdeps .

---

How it works

Differential fuzzing is an approach where we have our seeds being sent to two or more inputs, where they are consumed and should produce the same output. At the end of the test these outputs are compared, in case of divergence the fuzzer will signal a possible failure [[1]].(https://en.wikipedia.org/wiki/Differential_testing)

There are three key components:

• Targets: Perl modules to test.
• Input Seeds: Files containing the input data.
• Test Cases: YAML files that define which seeds and targets to use.

Here is a introduction about how you can create your own targets, seeds and test cases. To create your entire fuzzing case, you first need to create your target library as a package, for example:

package Mojo_URI {
    use strict;
    use warnings;
    use Try::Tiny;
    use Mojo::URL;

    sub new {
        my ($self, $payload) = @_;
        
        try {
            my $url = Mojo::URL->new($payload);
            
            return $url->host;
        }
        
        catch {
            return 0;
        }
    }
}

1;

Store at: ./targets//<your-taget-name.pm>. Store your seeds in a text file (e.g., ./seeds/your-seeds.txt). Create a YAML file to link your seeds with your targets. For example:

test:
    seeds:
        - seeds/urls.txt
    targets:
        - Mojo_URI
        - Mojo_UA
        - Mechanize
        - Simple_URI
    target_folder: targets/url

---

Fuzzing

$ perl fuzzpm.pl --case cases/json-decode.yml
$ perl fuzzpm.pl --case cases/parsing-url.yml

---

Docker container

$ docker build -t fuzzpm .
$ docker run -ti --rm fuzzpm --help

---

Contribution

Your contributions and suggestions are heartily ♥ welcome. See here the contribution guidelines. Please, report bugs via issues page and for security issues, see here the security policy. (✿ ◕‿◕)

---

License

This work is licensed under MIT License.