1. Documentation
  2. Advanced Techniques

Java - Corner Cases

How to Deal With Difficult Java Fuzzing Scenarios

Beta Content Warning

This article explains functionality that is in active development. It may be incomplete and subject to change in the future.

Applications using OSGI

Example with Apache Karaf:

These applications can be fuzzed by adding the following environment variable in the environment where Karaf will be started:

export KARAF_OPTS="-javaagent:/opt/ci-2.18.1-750-g070d41dbc/lib/code-intelligence/web_app_agent_deploy.jar=instrumentation_includes=com.your.package.**,fuzzing_server_host=172.0.0.1 -Dorg.osgi.framework.bootdelegation=com.code_intelligence.*"

You will have to adjust instrumentation_includes to reflect the packages used by your application. Packages that match this pattern will be instrumented (which means that fuzz targets will be able to gather feedback from them).

Also please adjust the path to the java agent to reflect your version of CI Fuzz and fuzzing_server_host if you are running Karaf in a different environment than ci-daemon.

If you set this variable in the environment section in docker compose, don't put it in quotes.

Java API Fuzz tests - missing Java classes/jars

Sometimes it happens that fuzzing an application using HTTP requests is not a suitable approach (for example, data in HTTP requests is encoded or encrypted, which significantly lowers the chance of the fuzzer producing a valid input). In that case, you can fuzz a java method directly. Select Java API fuzz test when creating a fuzz test.

Give it a helpful name.

In "Instrumentation filters", select the package pattern that will cover all code you wish to find bugs in.

In the JARs list, select all the jars that contains classes needed to run the Java method you want to fuzz. All the jars need to be in your project directory, or must be compiled when your build script runs.

Spring Boot warning: Often when you compile a Spring Boot application, the resulting jar file has classes packages in incompatible paths and other JARs packaged in that JAR. To solve this, add the following to your build script, after compilation:

mkdir jar_extracted && cd jar_extracted
jar xf ../<rel_path_to_spring_boot_jar>

You can also find a jar file with normal paths to classes in:

~/.local/share/code-intelligence/projects/<your project>/plain/target

Then click "Save" and "Go to file". A minimal fuzz target source will be generated, which contains the fuzzerTestOneInput class:

This class represents one input being sent to your method. If you need to create some objects before starting fuzzing, add this method:

public static void fuzzerInitialize(String[] fuzzerArgs) {
}

Use the input byte array in fuzzerTestOneInput to construct an object that can be passed to the method you want to fuzz, and then call that method. Add all the necessary imports.

Here is a simple example of how to fuzz a method in Spring Boot Petclinic application.

Run the fuzz test.

If it starts but stops quickly without findings, read the fuzzing container logs.

If you get errors that some class cannot be found (during compilation or runtime), find the jar that contains the class in your project directory, or in this directory:

~/.local/share/code-intelligence/projects/<your project>/plain/

You can find the jar with this command:

for JAR in `find . -iname '*\.jar'` ; do echo $JAR; jar -tf $JAR| grep <class that was not found>; done

Then add it to the .yaml configuration file associated with your fuzz test, in the jars section:

This way it should be possible to solve all problems with missing classes and run the fuzz tests.