furlzz is a small fuzzer written to test out iOS URL schemes.
It does so by attaching to the application using Frida and based on the input/seed it mutates the data
and tries to open the mutated URL. furlzz works in-process, meaning you aren't actually opening
the URL using apps such as SpringBoard. furlzz supports universal links which are being used with
scene:continueUserActivity and application:continueUserActivity. On some applications it is worth trying to use app as method for custom links, because that
can work as well.
Download prebuilt binaries from here or do it manually.
To manually install furlzz, do:
- Follow the instructions for devkit documented here
- Run
go install github.com/nsecho/furlzz@latest
- Run
furlzz initwith optional-coutput filename and-tURL opening method. To see the full list of methods, keep reading below. - Edit the config file
- Prepare inputs
- Run
furlzz fuzz -c /path/to/your/config/file
$ furlzz --help
Fuzz iOS URL schemes
Usage:
furlzz [command]
Available Commands:
crash Run the application with crash
fuzz Fuzz URL scheme
help Help about any command
init Initialize a new furlzz project
Flags:
-h, --help help for furlzz
Use "furlzz [command] --help" for more information about a command.- Figure out the method of opening URLs inside the application (with
frida-tracefor example) - Find out base url
- Create inputs
- Edit config file
- If the crash happen, replay it with
furlzz crashpassing created session and crash files
insert- inserts random byte at random location inside the inputdel- deletes random bytesubstitute- substitute byte at random position with random bytebyteOp- takes random byte and random position inside the string and do arithmetic operation on them (+, -, *, /)duplicateRange- duplicates random range inside the original string random number of timesbitFlip- flips the bit at random position inside random location inside inputbitmask- applies random bitmask on random location inside the stringduplicate- duplicates original string random number of times (2 < 10)multiple- run other mutations random number of times
Right now furlzz supports a couple of methods of opening URLs:
delegatewhen the application uses-[AppDelegate application:openURL:options:]applicationwhen the application is using-[UIApplication openURL:]scene_activity- when the application is using-[UISceneDelegate scene:continueUserActivity]- Universal Linksscene_contextwhen the application is using-[UISceneDelegate scene:openURLContexts:]delegate_activitywhen the application is using-[AppDelegate application:continueUserActivity:restorationHandler]- Universal Links
PRs are more than welcome to extend any functionality inside the furlzz