Google Git
Sign in
apache/axis-axis2-java-core/refs/heads/master/./modules/fuzz
tree: 68cf36e8080b7734912842fb473e741527f426c6 [path history] [tgz]
  1. src/
  2. pom.xml
  3. README.md
  4. run-fuzzers.sh
modules/fuzz/README.md

Apache Axis2/Java Fuzz Testing Module

Comprehensive fuzz testing for Axis2/Java parsers, mirroring the Axis2/C OSS-Fuzz approach.

Overview

This module provides Jazzer-compatible fuzz targets for security testing:

FuzzerComponentAttack Vectors
XmlParserFuzzerAXIOM/StAXXXE, XML bombs, buffer overflows
JsonParserFuzzerGsonDeep nesting, integer overflow, malformed JSON
HttpHeaderFuzzerHTTP headersCRLF injection, header parsing
UrlParserFuzzerURL/URI parsingSSRF, path traversal, malformed URLs

Running Fuzzers Locally

Prerequisites

# Install Jazzer
# Option 1: Download from GitHub releases
wget https://github.com/CodeIntelligenceTesting/jazzer/releases/download/v0.22.1/jazzer-linux.tar.gz
tar xzf jazzer-linux.tar.gz

# Option 2: Use Docker
docker pull cifuzz/jazzer

Build the Fuzz Module

cd /path/to/axis-axis2-java-core

# Build all modules first
mvn install -DskipTests

# Build the fuzz module
cd modules/fuzz
mvn package

Run Individual Fuzzers

# XML Parser Fuzzer
./jazzer --cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \
    --target_class=org.apache.axis2.fuzz.XmlParserFuzzer \
    --instrumentation_includes=org.apache.axiom.** \
    -max_total_time=300

# JSON Parser Fuzzer
./jazzer --cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \
    --target_class=org.apache.axis2.fuzz.JsonParserFuzzer \
    --instrumentation_includes=com.google.gson.** \
    -max_total_time=300

# HTTP Header Fuzzer
./jazzer --cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \
    --target_class=org.apache.axis2.fuzz.HttpHeaderFuzzer \
    --instrumentation_includes=org.apache.axis2.** \
    -max_total_time=300

# URL Parser Fuzzer
./jazzer --cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \
    --target_class=org.apache.axis2.fuzz.UrlParserFuzzer \
    --instrumentation_includes=org.apache.axis2.** \
    -max_total_time=300

Run with JUnit (Regression Testing)

The fuzzers can also be run as JUnit tests for CI integration:

mvn test -Djazzer.fuzz=true

Understanding Output

Successful Run

INFO: Seed: 1234567890
#1000000 DONE cov: 1234 ft: 5678 corp: 100/10Kb exec/s: 50000

Crash Found

== Java Exception: java.lang.OutOfMemoryError
    at org.apache.axiom.om.impl.builder.StAXOMBuilder.<init>
Crash file: crash-abc123def456

The crash file contains the input that triggered the bug. Reproduce with:

./jazzer --cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \
    --target_class=org.apache.axis2.fuzz.XmlParserFuzzer \
    crash-abc123def456

Comparison with Axis2/C Fuzzers

Axis2/CAxis2/JavaComponent
fuzz_xml_parser.cXmlParserFuzzer.javaXML/AXIOM
fuzz_json_parser.cJsonParserFuzzer.javaJSON
fuzz_json_reader.c(integrated in JsonParserFuzzer)JSON→XML
fuzz_http_header.cHttpHeaderFuzzer.javaHTTP headers
fuzz_url_parser.cUrlParserFuzzer.javaURL parsing

Security Vulnerability Reporting

If fuzzing finds a security vulnerability:

  1. Do NOT open a public GitHub issue
  2. Report to Apache Security Team: security@apache.org
  3. Include:
    • Crash file (input that triggers the bug)
    • Stack trace
    • Axis2/Java version

Related Documentation