PinguCrew: Web-Scale Fuzzing for Software Security
PinguCrew
PinguCrew is a web-based fuzzer platform that allows security researchers to test their software for vulnerabilities in a scalable and efficient manner. The tool is inspired by the ClusterFuzz tool but aims to remove any cloud service dependencies by running the tests within the user’s own network.
Unlike ClusterFuzz, which requires users to use a third-party hosting platform, PinguCrew runs the tests on the user’s own machines, giving them full control over the fuzzing process. This allows for more customization and flexibility, as users can set up their own testing environments with their desired configurations and testing parameters.
PinguCrew is designed to be highly modular, enabling users to easily integrate new fuzzer tools or modify existing ones to match their specific needs. The tool is built using a microservices architecture, with a Frontend using ReactJS to handle the user interface, a Backend using Django Python to handle server-side tasks, and a Python worker bot to execute the fuzzer test cases.
PinguCrew also provides users with a Butler script to automate many of the common tasks involved in running and managing fuzzers, including deployments, executions, and tracking test results. This makes it easier for security researchers to focus on their research, without having to worry about the technical details of running and analyzing fuzzing tests.
Pingu Components Overview
- Frontend/Dashboard: The React JS frontend serves as the user interface for Pingucrew, providing a centralized location to view test reports, control tests, and monitor the health of the testing environment. The frontend is built using a modern web technology stack and is designed to be scalable and customizable.
- Server Backend: The server backend is built using Django API Server and is responsible for communicating with the frontend and the Pingu bots, managing the testing environment, and handling data storage. The backend is designed to be modular and extendable, allowing for easy integration with external services and the addition of new features.
- Bot: The Pingucrew bot is a custom-built automation framework that allows users to automate common testing tasks and workflows. The bot is built using Python and incorporates advanced features such as run fuzzing campaings, analyze testcases, triage testcases, etc.
- Mongo DB: The MongoDB database is used to store test data and results, providing a scalable and efficient data storage solution. MongoDB is an open-source, NoSQL database designed to handle large amounts of data and accommodate varying data structures.
- Minio Buckets Server: Minio is a highly scalable object storage solution that provides a drop-in replacement for bucket cloud services. It allows users to store and access large amounts of data, providing a robust and reliable storage solution.
- Rabbit MQ: RabbitMQ is a high-performance message queuing system that is used to manage the communication between different components in the Pingucrew system. It provides an efficient and scalable messaging platform that allows for the queueing and routing of messages between different parts of the testing environment.
These components work together to provide a comprehensive fuzzing platform that incorporates advanced features and is designed to scale to meet the needs of any security team.
Install & Use
Copyright (C) 2024 IOActive