Furlzz is a small fuzzer written to test out iOS URL schemes. It does so by attaching to the application using Frida and based on the input/seed it mutates the data and tries to open the mutated URL.
Furlzz works in-process, meaning you aren’t actually opening the URL using apps such as SpringBoard. furlzz supports universal links which are being used with scene:continueUserActivity
.
Download prebuilt binaries from here or do it manually.
To manually install furlzz, do:
go install github.com/nsecho/furlzz@latest
$ furlzz fuzz --help
Fuzz URL scheme
Usage:
furlzz fuzz [flags]
Flags:
-a, --app string Application name to attach to (default "Gadget")
-b, --base string base URL to fuzz
-c, --crash ignore previous crashes
-d, --delegate string if the method is scene_activity, you need to specify UISceneDelegate class
-f, --function string apply the function to mutated input (url, base64)
-h, --help help for fuzz
-i, --input string path to input directory
-m, --method string method of opening url (delegate, app) (default "delegate")
-r, --runs uint number of runs
-s, --scene string scene class name
-t, --timeout uint sleep X seconds between each case (default 1)
-u, --uiapp string UIApplication name
There are basically two ways you can go with fuzzing using furlzz
:
--base
) with FUZZ
keyword in it along with --input
directory containing inputsFUZZ
keyword which would fuzz the raw base url passed (less efficient)furlzz supports two post-process methods right now; url and base64. The first one does URL encode on the mutated input while the second one generates base64 from it.
frida-trace
for example)furlzz fuzz
--function url
furlzz crash
passing created session and crash filesinsert
– inserts random byte at random location inside the inputdel
– deletes random bytesubstitute
– substitute byte at random position with random bytebyteOp
– takes random byte and random position inside the string and do arithmetic operation on them (+, -, *, /)duplicateRange
– duplicates random range inside the original string random number of timesbitFlip
– flips the bit at random position inside random location inside inputbitmask
– applies random bitmask on random location inside the stringduplicate
– duplicates original string random number of times (2 < 10)multiple
– run other mutations random number of timesRight now furlzz supports two methods of opening URLs:
delegate
when the application uses -[AppDelegate application:openURL:options:]
app
when the application is using -[UIApplication openURL:]
scene_activity
– when the application is using -[UISceneDelegate scene:continueUserActivity]
scene_context
when the application is using -[UISceneDelegate scene:openURLContexts:]
scene_activity
you need to pass the UISceneDelegate
class namedelegate
you need to pass the AppDelegate
class namescene_context
you need to pass UISceneDelegate
class namePRs are more than welcome to extend any functionality inside the furlzz
AutoExif is a powerful Bash script designed to streamline the process of editing image metadata…
SimpleImager V4.3, your go-to tool for streamlined system imaging and data acquisition. Designed to simplify…
MetaOSINT enables open source intelligence ("OSINT") practitioners to jumpstart their investigations by quickly identifying relevant,…
ThreatPinch Lookup creates informational tooltips when hovering oven an item of interest on any website.…
Myself and any other potential contributors to this website are NOT in any way affiliated…
The Mobile Evidence Acquisition Toolkit designed by BlackStone Discovery. Developed to enhance digital forensics, this…