Sorrow - A fuzzing library that allows for creating malicious payloads.

Sorrow – A fuzzing library that allows for creating malicious payloads.

Sorrow is Joi’s evil twin. It exists to create malicious payloads based on Joi validator schemas that will pass said validators.

+ Sorrow has two primary components: A generational “dumb” fuzzer, and the mutational “smart” fuzzer Surku.
+ The generational fuzzer generates seed data based on data types, which is then run through the mutational fuzzer to help compensate for some of the limitations of fuzzing with a set of static strings. It creates a starting point for machine learning, to reduce some of the time and complexity that would be required to end up generating the same data via a purely mutational approach.

+ Each type gets it’s own seperate mutator instance, which over time allows it to recognize patterns from each type and create more consistent and “smart” payloads. The more iterations that are run, the more accurate it becomes.
+ Sorrow is highly extendable, and I hope that you contribute to the project by doing just that. You can extend the generational fuzzer by adding additional payload strings to the configuration objects in vectors.js. If there is a missing target context, it’s pretty easy to add an additional one: you define an array of strings and a name – very simple.

Useful when testing for injection vulnerabilities. Included target contexts are:
– Javascript ( Server/Client Side )
– SQL ( MySQL, Oracle, Postgres )
– OS command injection (bash, powershell, etc)
– Buffer Overflows
– Format Strings
– Integer overflows

Sync “shorthand” API:

Async/Sync API:

Where ‘type’ is one of:
– string
– number
– date
– binary
– object
– boolean
– array
– any
The async API functions aren’t purely asynchronous, as sorrow is performing a huge amount of computations internally and therefore can easily block the event loop. Even so, it does offer a decent performance increase. The async API also has the ability to perform purely mutational fuzzing, rather than relying on a builtin set of attack vectors. To use the module in this way, call sorrow like this:

Usage :

on the server:

on the browser :

Download :  | Clone Url
Source :