CakeFuzzer

The ultimate web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.
CakeFuzzer logo

Here is the markdown description:

CakeFuzzer

===============

Latest release: 1.0

ISP we recommend running the following after every execution of the fuzzer:

sudo chown -R www-data:www-data /var/www/MISP/app/tmp/logs/

Once your scan finishes, revert the instrumentation:

python cake_fuzzer.py instrument revert

To Run Again

To run Cake Fuzzer again, do the following:

  • Delete Applications Logs (as an example, MISP logs stored /var/www/MISP/app/tmp/logs)
rm /var/www/MISP/app/tmp/logs/*
  • Delete All Files Inside of /cake_fuzzer/databases folder
rm /cake_fuzzer/databases/*
  • Delete cake_fuzzer/results.json file (Firstly do not forget to save or examine previous scan results)
rm cake_fuzzer/results.json
  • Finally follow previous running process again with 3 terminals

FAQ / Troubleshooting


Attack Queue seems like doing nothing

Attack queue marks executed attacks in the database as 'executed' so to run whole suite again you need to remove the database and add attacks again.

Make sure to kill monitors and attack queues before removing the database.

rm database.db*
python cake_fuzzer.py run fuzzer
python cake_fuzzer.py run attack_queue

Target app does not save logs to log files

This is likely due to the fact that the previous log files were overwritten by root. Cake Fuzzer operates as root so new log files will be created with the root as the owner. Remove them:

chmod -R a+w /var/www/MISP/app/tmp/logs/*

No files in /cake_fuzzer dir of a VM after a reboot

If you use VM with sharing cake fuzzer with your host machine, make sure that the host directory is properly attached to the guest VM:

sudo vmhgfs-fuse .host:/cake_fuzzer /cake_fuzzer -o allow_other -o uid=1000

Target app crashes after running Cake Fuzzer

Cake Fuzzer has to be located under the root directory of the machine and the base directory name should be cake_fuzzer specifically.

mv CakeFuzzer/ /cake_fuzzer

"Patch" errors while runing instrument apply

Instrumentation proccess is a part of Cake Fuzzer execution flow. When you run instrument apply followed by instrument check, both of these commands should result in the same number of changes.

If you get any "patch" error, you could apply patches manually and delete problematic patch file. Patches are located under the /cake_fuzzer/cakefuzzer/instrumentation/patches directory.


Dependency errors

While installing or running if you have python dependency error, manually install dependencies after switching to virtual environment.

First switch to the virtual environment:

source venv/bin/activate

After that you can install dependecies with pip3.

pip3 install -r requirements.txt




> Visit CakeFuzzer Website <
Best Search
Popular Tags