kitos/Autonomous-Bug-Explorer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Autonomous-Bug-Explorer/.ralph/specs/legacy/fuzzing.md

3.0 KiB
Raw Permalink Blame History

ABE — Fuzzing / Disruption Module Specification

Purpose

This is ABE's core differentiator. Instead of only clicking valid elements, ABE injects abnormal inputs into forms to provoke unexpected server behavior.

Architecture

src/plugins/fuzzers/
├── FuzzingEngine.ts         ← orchestrator, decides when and how to fuzz
├── strategies/
│   ├── EmptyValueStrategy.ts
│   ├── OversizedStringStrategy.ts
│   ├── SpecialCharsStrategy.ts
│   ├── TypeMismatchStrategy.ts
│   └── BoundaryValueStrategy.ts
└── InputTypeDetector.ts     ← detects field type from DOM attributes

InputTypeDetector

Detects field type from: input[type], input[name], input[placeholder], label text, aria-label.

type DetectedInputType =
  | 'email' | 'password' | 'number' | 'date' | 'phone'
  | 'url' | 'search' | 'text' | 'textarea' | 'select' | 'file'

Fuzzing Strategies

EmptyValueStrategy

Submits forms with all fields empty. Catches missing server-side validation. Applies to: all input types. Values: "", " " (space only), "\t" (tab).

OversizedStringStrategy

Submits strings far beyond expected length. Catches buffer issues and UI overflow. Applies to: text, email, password, textarea. Values by intensity:

  • low: 256 chars
  • medium: 1024 chars
  • high: 10000 chars + unicode chars

SpecialCharsStrategy

Injects characters that break SQL, HTML, and shell contexts. Applies to: text, email, search, textarea. Values:

' OR 1=1 --
<script>alert(1)</script>
../../etc/passwd
${7*7}
\x00\x01\x02

TypeMismatchStrategy

Submits wrong data types for the field.

  • email field → "not-an-email", "12345", "@@@"
  • number field → "abc", "-999999", "9.9.9", "NaN"
  • date field → "yesterday", "32/13/2025", "0000-00-00"
  • url field → "javascript:alert(1)", "not a url"
  • phone field → "000", "++++", "abcdefghij"

BoundaryValueStrategy

Tests values at the edges of expected ranges.

  • number field → 0, -1, 2147483647, 2147483648, -2147483648
  • date field → "1900-01-01", "2099-12-31", "1970-01-01"

Fuzzing Execution Flow

For each form discovered in state:
  1. InputTypeDetector analyzes each field
  2. FuzzingEngine selects strategies based on fuzzingIntensity:
     - low: EmptyValue + TypeMismatch only
     - medium: + OversizedString + BoundaryValue
     - high: + SpecialChars
  3. For each strategy, fill all fields with fuzz values
  4. Submit the form
  5. Observe response via AnomalyDetector
  6. Record results

AnomalyDetector additions for fuzzing

Add these new anomaly types:

  • validation_bypass — server accepted clearly invalid input (e.g. submitted empty required email, got 200)
  • server_error_on_fuzz — server returned 500 on a fuzzed input
  • xss_reflection — fuzzed script tag appears in response body

Integration point

FuzzingEngine is called from ExplorationEngine AFTER normal action discovery, only when config.fuzzingEnabled === true. It is passed as an optional plugin, so the core engine doesn't depend on it directly.

Reference in New Issue View Git Blame Copy Permalink