Firefly: a smart black-box fuzzer for web applications testing
February 10, 2023
Firefly is a tool developed to perform advanced black-box fuzzing. Black box fuzzing is a way to test a system by sending different payloads without having knowledge of the internal structure of the system. Using this technique, it is easier to determine how a system works by analysing different response behaviours the system provides.
Detection of target behaviour
In the verification process, Firefly sends a basic payload to illustrate a normal request to the target several times depending on the user’s configurations. When the response from the target comes back, Firefly stores the response data and prepares an analysis process. The analysis process collects the response words, lines, headers, payload reflections, dynamic lines and HTML tags/attributes. For each response, all these factors are stored in memory.
Firefly uses a number of different techniques and factors to detect behaviours. All available features, including the documentation, can be found on the official Firefly GitHub page.
- Verification of the original target behaviour(s) by analysing the content of multiple responses.
- Compare response differences.
- Analyses responses with a large number of keywords (e.g. errors, regex, keywords etc…).
- Detect changes as requested payloads are reflected in responses and modified (e.g. through normalization and transformations).
When the fuzzing process starts, the new intercepted response is analysed and, if the data stored from the verified responses does not match the current fuzzed response, Firefly starts a difference scan. This scan allows Firefly to detect a new behaviour in a static/dynamic web application by using the collected responses from the verification process and comparing them with each other to exclude dynamic elements.
The result of this process allows Firefly to later detect new behaviours and differences when the fuzzing process is running (this can be seen in the section Process Flow Diagram).
Payload modifications and transformations
The most important part of a fuzzing tool is the payloads that are used to perform all tests against the web application. Firefly has built-in standard wordlists that offer payloads and patterns used in the fuzzing process. These wordlists are great and can be customised by the user.
The payloads within Firefly can be customised by using encoding, tampering and regex rules.
Example of a basic wordlist that is being customised:
'">z 1=(sleep(4)) \")z\
Firefly payload customisation:
Command: firefly -show-payload -w wordlist.txt:fuzz -tamper c2r -payload-replace '\d => 13*37'
Tamper: c2r stands for case2random and randomize all letters in the payloads to uppercase or lowercase.
Payload-replace: Uses regexp (Golang regexp) to replace patterns in each payload. This regex takes any digit (\d) and replace it ( => ) with 13*37.
'">z 13*37=(sLEeP(13*37)) \")Z\
These payload modifications are very useful for detecting backend functions, normalisations and/or bypassing security filters used by the system.
Beside the regular payloads that are stored within a wordlist and added by the user, Firefly uses transformation payloads. This payloads are stored in a YAML file and can be customised by the user. This payloads are used to detect transformations done by the target and they are compared to an expected transformation provided by the user. If a transformation is successful, the user is displayed and informed by Firefly.
These transformations can be used in future payloads to bypass filters and/or web application firewalls (WAFs).
Pattern and Reflection gathering
Several types of lists can be used to collect keywords, regex and trace errors. These lists are fully customizable by the user and are used in all intercepted responses from the target.
A task within the verification process extracts the reflected payloads in the response by using a payload containing a known prefix and suffix. This improves the detection of reflected user input and allows Firefly to know the amount of reflections and also the default positions of the payload.
Process Flow Diagram
Input & Configuration
Firefly receives the custom user input (Golang flags) and validates their values. Once the input is validated, Firefly configures the input values so that they are ready for future processes.
The verification process discovers the default behaviours. This includes normal responses, dynamic content, reflected input and special char encoding/filtering.
Performing tests against the target using requests containing payloads. These requests are based on the payloads provided by the user together with the built-in payloads offered by Firefly, which are used to detect new behaviours of the target.
An engine starts for each incoming response. The engine starts several tasks with a unique purpose that analyzes the response. Each of these tasks uses gorutines to improve performance, and when all tasks are complete, the engine associated with the response identity collects all results from all tasks and adds them to a single Golang channel.
When a response has been analysed and is finished, the results are displayed in the command-line interface (CLI) and/or sent out to a file.
Now that you have a good understanding of how Firefly works and how you can use it, you’re ready to get your hands dirty and fuzz the web for juicy vulnerabilities!