How to Set Up a Project for Fuzzing Java Methods Directly
This guide describes in-process fuzzing of Java methods. If you want to fuzz Java web applications through HTTP requests, please refer to Project Setup (JVM-based web applications).
Download an Example Project
First you have to start the ci-daemon. Open a new terminal and start it with:
Running the ci-daemon as root is not recommended since it can lead to problems when VS Code tries to connect to it. Furthermore, it is a good security practice to run software with the least privilege.
In this tutorial we are going to fuzz Apache commons imaging. It is an open source library.
Download it via git:
git clone email@example.com:apache/commons-imaging.git
Creating the project
To set up fuzzing for Java with CI Fuzz, open the project in VS Code.
If you have our extension installed, you can start it with clicking on our logo in the left sidebar. This will lead you from VS Code’s file browser sidebar to our CI Fuzz sidebar:
From here you can create the Fuzzing Project with a click on “Create Fuzzing Project”
Leave "Setup Project for Web Application Fuzzing" unselected.
CI Fuzz will automatically detect most current build systems that can build Java applications, including Maven, Gradle and Ant. If it recognizes a build system, it will ask to l automatically create a script to build the project with sensible defaults.
The role of this build script is to provide CI Fuzz with the instructions to compile all the jars, which contain the methods you want to fuzz, with instrumentation. These jars will later be needed when running a fuzz test.
But even if the build system is not detected you can just enter the steps needed to build the project manually.
In the next step, you also need to provide the name of a docker image, which will allow CI Fuzz to create containers in which the fuzzing project and fuzz tests will be built and ran. This image must contain all the dependencies.
In case of commons-imaging, we provide an image that can be used:
Alternatively, local mode creates distroless docker containers which will use dependencies installed on your system.
Additional Docker volume mounts in the Advanced Settings section will let you mount files and directories that reside on your local filesystem inside the docker container that will be used for building and fuzzing your project. WARNING: this only works when you are fuzzing on your own computer. It will not work if you load your fuzzing project in the CI Fuzz Web Interface for Continuous Fuzzing.
Initializing the project
Once all the steps to build the project have been indicated, it is time to initialize the project. In this step, we are simply building the project once, without any modification. This allows us to identify which parts of the code end up in which jar files and helps us to automatically detect the different endpoints defined in the code that can be tested with CI Fuzz. This is a lengthy process that could take a few minutes to complete.
To run the initialization, click on the Submit button below the docker configuration options.
Depending on the size of your project, this might take a while, since we are building the whole project by default. You can of course disable compilation of parts of the code that are not relevant for the fuzz tests, like already existing unit tests. For Maven, this can be done by adding "-DskipTests" to the mvn call.
Fixing the build
Now the build fails because of release audit errors. Since we will be only using our build for fuzzing and not for release, we can disable those checks. Let's go back to the "build setup" step and modify the build script:
Now you should get this popup:
Congratulations! Now learn how to Create a Java API Fuzz Test.