Fuzz iOS URL schemes with furlzz

Crashing Bear app with simple fuzzing

Posted by NSEcho on 2023-09-17 09:59:09


Today we will cover the tool I have created, furlzz which is an iOS URL scheme fuzzer. We will go over how to set up and actually start fuzzing. This will be done on the Bear app 2.0.10 which had a simple bug which caused the application to crash.

Tracing URLs using frida-trace

The first step is we need to determine how the application actually opens the URLs, we can do that with frida-trace. We need some legitimate URL which will be opened inside the application and once we load that URL we will take a look at frida-trace output to determine which method is used.

Run frida-trace -U Bear -m "*[* *openURL*]".

Tracing Bear

We can see that the URLs are opened using scene:openURLContexts and based on the furlzz, that is the method of scene_context (-m flag). We can also see that the name of the delegate is Bear.SFDefaultSceneDelegate (-d flag).

We need to determine one more thing before we can start fuzzing, that is the name of the scene class. We can do that by editing handler file that the Frida has created for that specific method.

Type the following to edit the file.

$ vim __handlers__/Bear.SFDefaultSceneDelegate/scene_openURLContexts_.js`

Once the file is opened, we will convert args[2] to ObjC.Object followed by printing its description() and converting it to string by calling toString() and that will be enough to see all the information that we need.

Bear editing handler

If we now open the URL, we would see that the name of class for scene is SFDefaultScene.