Skip to content

QRFuzz, a fuzzing toolkit to test malicious QR Codes in mobile applications

License

Notifications You must be signed in to change notification settings

spritz-group/QRFuzz

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

QRFuzz

A fuzzing toolkit to test malicious QR Codes in mobile applications.

QRFuzz banner

Current release: v1.0.1 (2023-03-16)

You can find toolkit updates in the CHANGELOGS page.

Installation

All the instructions to install the toolkit are inside the docs / installation page.

Usage

All the instructions to use the toolkit are inside the docs / usage page.

Quick Start

  1. Connect an Android Smartphone to a PC and type adb devices
    • Save the udid (device_id) of the device
  2. Open a new terminal and start Appium
    • appium -p 4723
  3. Open a new terminal and start QRCodeGenerator
    • cd tools/QRCodeGenerator
    • python main.py -a <app> -j <json_data_path> -p <position>
  4. Open a new terminal and start QRCodeFuzzer
    • cd tools/QRCodeFuzzer
    • node index.js <app> <data_path> <port> <device_id>
  5. Once the tests are completed, check the results inside the test directory
    • ls tools/QRCodeFuzzer/data-tests/<app_name>

Extend the tool

You can find example on how to extend the tool inside the folder of each tool.

Credits

This project has been developed by students from the University of Padua (UniPD, Italy).

  • Federico Carboni
  • Denis Donadel
  • Mariano Sciacco

If you're using our tool, please cite our paper:

@inproceedings{carboni2023if,
  title={If You’re Scanning This, It’s Too Late! A QR Code-Based Fuzzing Methodology to Identify Input Vulnerabilities in Mobile Apps},
  author={Carboni, Federico and Conti, Mauro and Donadel, Denis and Sciacco, Mariano},
  booktitle={International Conference on Applied Cryptography and Network Security},
  pages={553--570},
  year={2023},
  organization={Springer}
}