Skip to content

xsscx/fuzz

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

404 Commits
.github
.github
 
 
angular
angular
 
 
applescript
applescript
 
 
ascii
ascii
 
 
calc
calc
 
 
callback
callback
 
 
css
css
 
 
custom
custom
 
 
email
email
 
 
graphics
graphics
 
 
httpheader
httpheader
 
 
java
java
 
 
javascript
javascript
 
 
json
json
 
 
lfi-local-file-system-harvesting
lfi-local-file-system-harvesting
 
 
meta
meta
 
 
parameter
parameter
 
 
pf
pf
 
 
ps
ps
 
 
python
python
 
 
random
random
 
 
rbl
rbl
 
 
referer
referer
 
 
soap
soap
 
 
sqlinjection
sqlinjection
 
 
ssi
ssi
 
 
svg
svg
 
 
ua
ua
 
 
unix
unix
 
 
uri
uri
 
 
xml
xml
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
README.md
README.md
 
 
_config.yml
_config.yml
 
 
full-unicode.txt
full-unicode.txt
 
 
no-experience-required-xss-signatures-only-fools-dont-use.txt
no-experience-required-xss-signatures-only-fools-dont-use.txt
 
 
xml-paste-from-gist.txt
xml-paste-from-gist.txt
 
 

Repository files navigation

Fuzz Corpus — Commodity Injection Signatures & CVE PoCs

Curated corpus of 1,139 malicious input files (201 MB) for security testing. Originally created as "Commodity-Injection-Signatures" by David Hoyt (hoyt.net, srd.cx, xss.cx), maintained since 2015.

Contents

Category Files Size Description
graphics/icc/ 95 6 MB ICC CVE PoCs (CVE-2022-26730, CVE-2023-46602, CVE-2024-38427)
graphics/jpg/ 208 42 MB Malformed JPEG files
graphics/png/ 200 34 MB Malformed PNG files
graphics/tif/ 267 45 MB Malformed TIFF files
graphics/gif/ 35 Malformed GIF files
graphics/heic/ 9 Malformed HEIC files
graphics/bmp/ 10 Malformed BMP files
graphics/exr/ 4 Malformed OpenEXR files
xml/icc/ 42 ICC XML crash PoCs
xml/icc/minimized/ 74 AFL-minimized ICC XML crashes
xml/xxe/ 10+ XXE entity injection PoCs
Web injection 80+ XSS, SQLi, SSI, LFI, SSRF, XSLT signatures

ICC Profile CVE Coverage

CVE Files CWE Affected Software
CVE-2022-26730 11 CWE-787 Apple ColorSync
CVE-2023-32443 2 CWE-125 Apple ColorSync
CVE-2023-46602 1 CWE-122 DemoIccMAX
CVE-2023-46867 1 CWE-126 ArgyllCMS
CVE-2024-38427 1 CWE-122 DemoIccMAX

References:

Integration with CFL Fuzzers

ICC profiles seed the CFL LibFuzzer harnesses:

# Seed binary ICC fuzzers
cp fuzz/graphics/icc/*.icc cfl/corpus-icc_profile_fuzzer/

# Seed XML fuzzer
cp fuzz/xml/icc/*.xml cfl/corpus-icc_fromxml_fuzzer/
cp fuzz/xml/icc/minimized/* cfl/corpus-icc_fromxml_fuzzer/

See CFL instructions for full fuzzing workflow.

Suggested Use

  • CFL fuzzer seeding — Primary ICC PoC source for LibFuzzer harnesses
  • iccanalyzer-lite testing — Security heuristic validation against known-bad profiles
  • Burp Intruder payloads — Web injection signature files
  • Manual injection testing — Well-known XSS/SQLi/XXE signatures
  • Image decoder fuzzing — Malformed graphics files for ImageIO/Skia/WebKit
  • XNU/Windows/Linux testing — Platform-specific crash vectors

File Naming Convention

ICC PoCs: {crash_type}-{Class}-{Method}-{File}_cpp-Line{N}.icc

  • Crash types: hbo (heap overflow), sbo (stack overflow), segv (SIGSEGV), oom (out-of-memory), ub (undefined behavior), npd (null deref)

CVE PoCs: cve-{YYYY}-{NNNNN}-{description}-variant-{NNN}.icc

Recent Additions

  • CFL-discovered crash samples (repo root crash-*, oom-*, slow-unit-*)
  • CVE-2024-38427 ICC Color Profile PoCs
  • AFL-minimized ICC XML crash corpus (74 samples)
  • XNU Crash Helpers for Apple Security Research Device

Contributing

Setup a PR. All malicious input accepted.

Happy Hunting!!

About

Commodity Injection Signatures, Malicious Inputs, XSS, HTTP Header Injection, XXE, RCE, Javascript, XSLT

srd.cx

Topics

javascript html http exploit input random header injection xss poc rce fuzzing burp burpsuite malicious injection-signatures

Resources

Readme

Contributing

Contributing
Activity

Stars

404 stars

Watchers

12 watching

Forks

122 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages