mirror of
https://github.com/FuzzingLabs/fuzzforge_ai.git
synced 2026-02-13 01:12:45 +00:00
cfcbe91610
Comprehensive Android security testing workflow converted from Prefect to Temporal architecture: Modules (3): - JadxDecompiler: APK to Java source code decompilation - OpenGrepAndroid: Static analysis with Android-specific security rules - MobSFScanner: Comprehensive mobile security framework integration Custom Rules (13): - clipboard-sensitive-data, hardcoded-secrets, insecure-data-storage - insecure-deeplink, insecure-logging, intent-redirection - sensitive_data_sharedPreferences, sqlite-injection - vulnerable-activity, vulnerable-content-provider, vulnerable-service - webview-javascript-enabled, webview-load-arbitrary-url Workflow: - 6-phase Temporal workflow: download → Jadx → OpenGrep → MobSF → SARIF → upload - 4 activities: decompile_with_jadx, scan_with_opengrep, scan_with_mobsf, generate_android_sarif - SARIF output combining findings from all security tools Docker Worker: - ARM64 Mac compatibility via amd64 platform emulation - Pre-installed: Android SDK, Jadx 1.4.7, OpenGrep 1.45.0, MobSF 3.9.7 - MobSF runs as background service with API key auto-generation - Added aiohttp for async HTTP communication Test APKs: - BeetleBug.apk and shopnest.apk for workflow validation
Vulnerable Test Application
This is a TEST PROJECT designed to trigger security findings in the FuzzForge security assessment workflow.
⚠️ WARNING: This application contains intentional security vulnerabilities for testing purposes only. DO NOT use any of this code in production!
Vulnerabilities Included
Hardcoded Secrets
- Database passwords
- API keys (AWS, Stripe, GitHub, etc.)
- JWT secrets
- Private keys (RSA, Bitcoin, Ethereum)
- OAuth tokens
Code Injection
eval()usage in multiple languagesexec()andsystem()calls- Dynamic function creation
- Template injection
SQL Injection
- String concatenation in queries
- String formatting in SQL
- Dynamic query building
- Parameterless queries
Command Injection
- Unsanitized user input in system commands
- Shell execution with user data
- Subprocess calls with shell=True
Path Traversal
- Unvalidated file paths
- Directory traversal patterns
- Insecure file operations
Other Vulnerabilities
- XSS vulnerabilities
- Insecure deserialization
- Weak cryptography (MD5, weak random)
- CORS misconfigurations
- Debug mode enabled
Files Overview
-
src/- Source code with various vulnerabilitiesdatabase.py- Python with SQL injection and hardcoded secretsapi_handler.py- Python with eval and command injectionutils.rb- Ruby vulnerabilitiesMain.java- Java security issuesapp.go- Go vulnerabilities
-
scripts/- Script filesdeploy.php- PHP vulnerabilitiesbackup.js- JavaScript security issues
-
config/- Configuration filessettings.py- Hardcoded credentialsdatabase.yaml- Database passwords
-
.env- Environment file with secrets -
private_key.pem- Private key file -
wallet.json- Cryptocurrency wallets -
.github/workflows/- CI/CD with hardcoded secrets
Expected Findings
When running the security assessment workflow, you should see:
- Multiple hardcoded secrets detected
- SQL injection vulnerabilities
- Command injection risks
- Dangerous function usage
- Sensitive file discoveries
Testing
To test with FuzzForge:
curl -X POST "http://localhost:8000/workflows/security_assessment/submit" \
-H "Content-Type: application/json" \
-d '{
"target_path": "/path/to/test_projects/vulnerable_app",
"parameters": {
"scanner_config": {"check_sensitive": true},
"analyzer_config": {"check_secrets": true, "check_sql": true}
}
}'
Note
This is purely for testing security scanning capabilities. All credentials and keys are fake/example values.