This is the second release of XDiFF, presented in the Hack in the Box 2018 talk "Exposing Hidden Exploitable Behaviors Using Extended Differential Fuzzing".
Please refer to the documentation or the docs folder included to learn how to use it. To report any bugs or ask for features, feel free to open an issue or contact me at fernando.arnaboldi at ioactive.
Changelog for v1.2:
- Changed main function names in the root directory
- Improved code, documentation, and (most of) the code is now tested. Tons of bugfixes.
- Improved analysis of network connections to test browsers connections
- Added new analysis for error disclosure (
analyze_error_disclosure) and path disclosure analysis has been splitted (analyze_path_disclosure_stdoutandanalyze_path_disclosure_stderr) - Added new compatibility class (classes.compat) to support Python 3
- Added risk value to the different analytic functions. Print functions based on their rating:
./xdiff_analyze.py -d db.sqlite -r 0/1/2/3 - Added support to test non random filenames in
software.ini. Set the second column toFilename = /etc/yourfixedfilename - Added new parameters in the
settings.pyclass - Added debug option to
xdiff_run.py