95 lines
3.0 KiB
Markdown
95 lines
3.0 KiB
Markdown
# ABE — Fuzzing / Disruption Module Specification
|
|
|
|
## Purpose
|
|
This is ABE's core differentiator. Instead of only clicking valid elements,
|
|
ABE injects abnormal inputs into forms to provoke unexpected server behavior.
|
|
|
|
## Architecture
|
|
```
|
|
src/plugins/fuzzers/
|
|
├── FuzzingEngine.ts ← orchestrator, decides when and how to fuzz
|
|
├── strategies/
|
|
│ ├── EmptyValueStrategy.ts
|
|
│ ├── OversizedStringStrategy.ts
|
|
│ ├── SpecialCharsStrategy.ts
|
|
│ ├── TypeMismatchStrategy.ts
|
|
│ └── BoundaryValueStrategy.ts
|
|
└── InputTypeDetector.ts ← detects field type from DOM attributes
|
|
```
|
|
|
|
## InputTypeDetector
|
|
|
|
Detects field type from: input[type], input[name], input[placeholder], label text, aria-label.
|
|
```typescript
|
|
type DetectedInputType =
|
|
| 'email' | 'password' | 'number' | 'date' | 'phone'
|
|
| 'url' | 'search' | 'text' | 'textarea' | 'select' | 'file'
|
|
```
|
|
|
|
## Fuzzing Strategies
|
|
|
|
### EmptyValueStrategy
|
|
Submits forms with all fields empty. Catches missing server-side validation.
|
|
Applies to: all input types.
|
|
Values: `""`, `" "` (space only), `"\t"` (tab).
|
|
|
|
### OversizedStringStrategy
|
|
Submits strings far beyond expected length. Catches buffer issues and UI overflow.
|
|
Applies to: text, email, password, textarea.
|
|
Values by intensity:
|
|
- low: 256 chars
|
|
- medium: 1024 chars
|
|
- high: 10000 chars + unicode chars
|
|
|
|
### SpecialCharsStrategy
|
|
Injects characters that break SQL, HTML, and shell contexts.
|
|
Applies to: text, email, search, textarea.
|
|
Values:
|
|
```
|
|
' OR 1=1 --
|
|
<script>alert(1)</script>
|
|
../../etc/passwd
|
|
${7*7}
|
|
\x00\x01\x02
|
|
```
|
|
|
|
### TypeMismatchStrategy
|
|
Submits wrong data types for the field.
|
|
- email field → "not-an-email", "12345", "@@@"
|
|
- number field → "abc", "-999999", "9.9.9", "NaN"
|
|
- date field → "yesterday", "32/13/2025", "0000-00-00"
|
|
- url field → "javascript:alert(1)", "not a url"
|
|
- phone field → "000", "++++", "abcdefghij"
|
|
|
|
### BoundaryValueStrategy
|
|
Tests values at the edges of expected ranges.
|
|
- number field → 0, -1, 2147483647, 2147483648, -2147483648
|
|
- date field → "1900-01-01", "2099-12-31", "1970-01-01"
|
|
|
|
## Fuzzing Execution Flow
|
|
```
|
|
For each form discovered in state:
|
|
1. InputTypeDetector analyzes each field
|
|
2. FuzzingEngine selects strategies based on fuzzingIntensity:
|
|
- low: EmptyValue + TypeMismatch only
|
|
- medium: + OversizedString + BoundaryValue
|
|
- high: + SpecialChars
|
|
3. For each strategy, fill all fields with fuzz values
|
|
4. Submit the form
|
|
5. Observe response via AnomalyDetector
|
|
6. Record results
|
|
```
|
|
|
|
## AnomalyDetector additions for fuzzing
|
|
|
|
Add these new anomaly types:
|
|
- `validation_bypass` — server accepted clearly invalid input (e.g. submitted empty required email, got 200)
|
|
- `server_error_on_fuzz` — server returned 500 on a fuzzed input
|
|
- `xss_reflection` — fuzzed script tag appears in response body
|
|
|
|
## Integration point
|
|
|
|
FuzzingEngine is called from ExplorationEngine AFTER normal action discovery,
|
|
only when `config.fuzzingEnabled === true`.
|
|
It is passed as an optional plugin, so the core engine doesn't depend on it directly.
|