Furlzz is a small fuzzer written to test out iOS URL schemes. It does so by attaching to the application using Frida and based on the input/seed it mutates the data and tries to open the mutated URL.
Furlzz works in-process, meaning you aren’t actually opening the URL using apps such as SpringBoard. furlzz supports universal links which are being used with scene:continueUserActivity
.
Download prebuilt binaries from here or do it manually.
To manually install furlzz, do:
go install github.com/nsecho/furlzz@latest
$ furlzz fuzz --help
Fuzz URL scheme
Usage:
furlzz fuzz [flags]
Flags:
-a, --app string Application name to attach to (default "Gadget")
-b, --base string base URL to fuzz
-c, --crash ignore previous crashes
-d, --delegate string if the method is scene_activity, you need to specify UISceneDelegate class
-f, --function string apply the function to mutated input (url, base64)
-h, --help help for fuzz
-i, --input string path to input directory
-m, --method string method of opening url (delegate, app) (default "delegate")
-r, --runs uint number of runs
-s, --scene string scene class name
-t, --timeout uint sleep X seconds between each case (default 1)
-u, --uiapp string UIApplication name
There are basically two ways you can go with fuzzing using furlzz
:
--base
) with FUZZ
keyword in it along with --input
directory containing inputsFUZZ
keyword which would fuzz the raw base url passed (less efficient)furlzz supports two post-process methods right now; url and base64. The first one does URL encode on the mutated input while the second one generates base64 from it.
frida-trace
for example)furlzz fuzz
--function url
furlzz crash
passing created session and crash filesinsert
– inserts random byte at random location inside the inputdel
– deletes random bytesubstitute
– substitute byte at random position with random bytebyteOp
– takes random byte and random position inside the string and do arithmetic operation on them (+, -, *, /)duplicateRange
– duplicates random range inside the original string random number of timesbitFlip
– flips the bit at random position inside random location inside inputbitmask
– applies random bitmask on random location inside the stringduplicate
– duplicates original string random number of times (2 < 10)multiple
– run other mutations random number of timesRight now furlzz supports two methods of opening URLs:
delegate
when the application uses -[AppDelegate application:openURL:options:]
app
when the application is using -[UIApplication openURL:]
scene_activity
– when the application is using -[UISceneDelegate scene:continueUserActivity]
scene_context
when the application is using -[UISceneDelegate scene:openURLContexts:]
scene_activity
you need to pass the UISceneDelegate
class namedelegate
you need to pass the AppDelegate
class namescene_context
you need to pass UISceneDelegate
class namePRs are more than welcome to extend any functionality inside the furlzz
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…