Today we will cover the tool I have created, furlzz which is an iOS URL scheme fuzzer. We will go over how to set up and actually start fuzzing. This will be done on the Bear app 2.0.10 which had a simple bug which caused the application to crash.
Tracing URLs using frida-trace
The first step is we need to determine how the application actually opens the URLs, we can do that
frida-trace. We need some legitimate URL which will be opened inside the application and once we load
that URL we will take a look at frida-trace output to determine which method is used.
frida-trace -U Bear -m "*[* *openURL*]".
We can see that the URLs are opened using
scene:openURLContexts and based on the
furlzz, that is the
-m flag). We can also see that the name of the delegate is
We need to determine one more thing before we can start fuzzing, that is the name of the scene class. We can do that by editing handler file that the Frida has created for that specific method.
Type the following to edit the file.
$ vim __handlers__/Bear.SFDefaultSceneDelegate/scene_openURLContexts_.js`
Once the file is opened, we will convert
ObjC.Object followed by printing its
description() and converting it to string
toString() and that will be enough to see all the information that we need.
If we now open the URL, we would see that the name of class for