Cyber security

Furlzz – Advanced iOS URL Scheme Fuzzing Made Easy

Furlzz is a small fuzzer written to test out iOS URL schemes. It does so by attaching to the application using Frida and based on the input/seed it mutates the data and tries to open the mutated URL.

Furlzz works in-process, meaning you aren’t actually opening the URL using apps such as SpringBoard. furlzz supports universal links which are being used with scene:continueUserActivity.

Installation

Download prebuilt binaries from here or do it manually.

To manually install furlzz, do:

  • Follow the instructions for devkit documented here
  • Run go install github.com/nsecho/furlzz@latest

Usage

$ furlzz fuzz --help
Fuzz URL scheme

Usage:
  furlzz fuzz [flags]

Flags:
  -a, --app string        Application name to attach to (default "Gadget")
  -b, --base string       base URL to fuzz
  -c, --crash             ignore previous crashes
  -d, --delegate string   if the method is scene_activity, you need to specify UISceneDelegate class
  -f, --function string   apply the function to mutated input (url, base64)
  -h, --help              help for fuzz
  -i, --input string      path to input directory
  -m, --method string     method of opening url (delegate, app) (default "delegate")
  -r, --runs uint         number of runs
  -s, --scene string      scene class name
  -t, --timeout uint      sleep X seconds between each case (default 1)
  -u, --uiapp string      UIApplication name

There are basically two ways you can go with fuzzing using furlzz:

  • give base URL (--base) with FUZZ keyword in it along with --input directory containing inputs
  • just give base URL without FUZZ keyword which would fuzz the raw base url passed (less efficient)

furlzz supports two post-process methods right now; url and base64. The first one does URL encode on the mutated input while the second one generates base64 from it.

Fuzzing

  1. Figure out the method of opening URLs inside the application (with frida-trace for example)
  2. Find out base url
  3. Create some inputs
  4. Pass the flags to furlzz fuzz
  5. Most of the time, values have to be URL encoded, so use --function url
  6. Adjust timeout if you would like to go with slower fuzzing
  7. If the crash happen, replay it with furlzz crash passing created session and crash files

Mutations

  • insert – inserts random byte at random location inside the input
  • del – deletes random byte
  • substitute – substitute byte at random position with random byte
  • byteOp – takes random byte and random position inside the string and do arithmetic operation on them (+, -, *, /)
  • duplicateRange – duplicates random range inside the original string random number of times
  • bitFlip – flips the bit at random position inside random location inside input
  • bitmask – applies random bitmask on random location inside the string
  • duplicate – duplicates original string random number of times (2 < 10)
  • multiple – run other mutations random number of times

URL Open Methods

Right now furlzz supports two methods of opening URLs:

  • delegate when the application uses -[AppDelegate application:openURL:options:]
  • app when the application is using -[UIApplication openURL:]
  • scene_activity – when the application is using -[UISceneDelegate scene:continueUserActivity]
  • scene_context when the application is using -[UISceneDelegate scene:openURLContexts:]

Additional Flags

  • For the method of scene_activity you need to pass the UISceneDelegate class name
  • For the method of delegate you need to pass the AppDelegate class name
  • For the method of scene_context you need to pass UISceneDelegate class name

PRs are more than welcome to extend any functionality inside the furlzz

Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

15 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

15 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

3 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago