xeioex · April 27, 2019 14:36
diff --git a/gistfile1.txt b/gistfile1.txt
 description: http://lcamtuf.coredump.cx/afl/

 cmd: 
 # ubuntu: apt-get install afl
 CC=afl-clang CFLAGS='-O0' ./configure && make njs
 afl-fuzz -i testcases_njs -o findings_njs -x njs.dict <path-to-njs-binary> -

 cat njs.dict
 keyword_arguments="arguments"
 keyword_break="break"
 keyword_case="case"
 keyword_catch="catch"
 keyword_const="const"
 keyword_continue="continue"
 keyword_debugger="debugger"
 keyword_decodeURI="decodeURI"
 keyword_default="default"
 keyword_delete="delete"
 keyword_do="do"
 keyword_else="else"
 keyword_escape="escape"
 keyword_eval="eval"
 keyword_export="export"
 keyword_finally="finally"
 keyword_for="for (a=0;a<2;a++)"
 keyword_function="function"
 keyword_if="if"
 keyword_in="in"
 keyword_instanceof="instanceof"
 keyword_isNaN="isNaN"
 keyword_let="let"
 keyword_new="new"
 keyword_parseInt="parseInt"
 keyword_return="return"
 keyword_switch="switch"
 keyword_this="this"
 keyword_throw="throw"
 keyword_try="try"
 keyword_typeof="typeof"
 keyword_var="var"
 keyword_void="void"
 keyword_while="while"
 keyword_with="with"

 misc_1=" 1"
 misc_a="a"
 misc_array=" [1]"
 misc_assign=" a=1"
 misc_code_block=" {1}"
 misc_colon_num=" 1:"
 misc_colon_string=" 'a':"
 misc_comma=" ,"
 misc_comment_block=" /* */"
 misc_comment_line=" //"
 misc_cond=" 1?2:3"
 misc_dec=" --"
 misc_div=" /"
 misc_equals=" ="
 misc_fn=" a()"
 misc_identical=" ==="
 misc_inc=" ++"
 misc_minus=" -"
 misc_modulo=" %"
 misc_parentheses=" ()"
 misc_parentheses_1=" (1)"
 misc_parentheses_1x4=" (1,1,1,1)"
 misc_parentheses_a=" (a)"
 misc_period="."
 misc_plus=" +"
 misc_plus_assign=" +="
 misc_regex=" /a/g"
 misc_rol=" <<<"
 misc_semicolon=" ;"
 misc_serialized_object=" {'a': 1}"
 misc_string=" 'a'"
 misc_unicode=" '\\u0001'"

 object_Array=" Array"
 object_Boolean=" Boolean"
 object_Date=" Date"
 object_Function=" Function"
 object_Infinity=" Infinity"
 object_Int8Array=" Int8Array"
 object_Math=" Math"
 object_NaN=" NaN"
 object_Number=" Number"
 object_Object=" Object"
 object_RegExp=" RegExp"
 object_String=" String"
 object_Symbol=" Symbol"
 object_false=" false"
 object_null=" null"
 object_true=" true"

 prop_charAt=".charAt"
 prop_concat=".concat"
 prop_constructor=".constructor"
 prop_destructor=".destructor"
 prop_length=".length"
 prop_match=".match"
 prop_proto=".__proto__"
 prop_prototype=".prototype"
 prop_slice=".slice"
 prop_toCode=".toCode"
 prop_toString=".toString"
 prop_valueOf=".valueOf"


 keyword_req="req"
 keyword_r="$r"
 keyword_some_method="some_method"
 keyword_header="header"
 keyword_host="host"
 keyword_uri="uri"
 keyword_isArray="isArray"
 keyword_undefined="undefined"
 keyword_yield="yield"
 keyword_parseFloat="parseFloat"
 keyword_encodeURI="encodeURI"
 keyword_encodeURIComponent="encodeURIComponent"
 keyword_decodeURIComponent="decodeURIComponent"

 prop_name="name"

 method_reduceRight=".reduceRight"
 method_sort=".sort"
 method_reduce=".reduce"
 method_map=".map"
 method_filter=".filter"
 method_every=".every"
 method_some=".some"
 method_forEach=".forEach"
 method_lastIndexOf=".lastIndexOf"
 method_indexOf=".indexOf"
 method_includes=".includes"
 method_join=".join"
 method_reverse=".reverse"
 method_splice=".splice"
 method_shift=".shift"
 method_unshift=".unshift"
 method_pop=".pop"
 method_push=".push"
 method_toJSON=".toJSON"
 method_setUTCFullYear=".setUTCFullYear"
 method_setFullYear=".setFullYear"
 method_setUTCMonth=".setUTCMonth"
 method_setMonth=".setMonth"
 method_setUTCDate=".setUTCDate"
 method_setDate=".setDate"
 method_setUTCHours=".setUTCHours"
 method_setHours=".setHours"
 method_setUTCMinutes=".setUTCMinutes"
 method_setMinutes=".setMinutes"
 method_setUTCSeconds=".setUTCSeconds"
 method_setSeconds=".setSeconds"
 method_setUTCMilliseconds=".setUTCMilliseconds"
 method_setMilliseconds=".setMilliseconds"
 method_setTime=".setTime"
 method_getTimezoneOffset=".getTimezoneOffset"
 method_getUTCMilliseconds=".getUTCMilliseconds"
 method_getMilliseconds=".getMilliseconds"
 method_getUTCSeconds=".getUTCSeconds"
 method_getSeconds=".getSeconds"
 method_getUTCMinutes=".getUTCMinutes"
 method_getMinutes=".getMinutes"
 method_getUTCHours=".getUTCHours"
 method_getHours=".getHours"
 method_getUTCDay=".getUTCDay"
 method_getDay=".getDay"
 method_getUTCDate=".getUTCDate"
 method_getDate=".getDate"
 method_getUTCMonth=".getUTCMonth"
 method_getMonth=".getMonth"
 method_getUTCFullYear=".getUTCFullYear"
 method_getFullYear=".getFullYear"
 method_getTime=".getTime"
 method_toISOString=".toISOString"
 method_toUTCString=".toUTCString"
 method_toLocaleTimeString=".toLocaleTimeString"
 method_toLocaleDateString=".toLocaleDateString"
 method_toLocaleString=".toLocaleString"
 method_toTimeString=".toTimeString"
 method_toDateString=".toDateString"
 method_bind=".bind"
 method_apply=".apply"
 method_call=".call"
 method_tan=".tan"
 method_sqrt=".sqrt"
 method_sin=".sin"
 method_round=".round"
 method_random=".random"
 method_pow=".pow"
 method_min=".min"
 method_max=".max"
 method_log=".log"
 method_floor=".floor"
 method_exp=".exp"
 method_cos=".cos"
 method_ceil=".ceil"
 method_atan2=".atan2"
 method_atan=".atan"
 method_asin=".asin"
 method_acos=".acos"
 method_abs=".abs"
 method_SQRT2=".SQRT2"
 method_LN2=".LN2"
 method_exec=".exec"
 method_test=".test"
 method_fromUTF8=".fromUTF8"
 method_toUTF8=".toUTF8"
 method_fromBytes=".fromBytes"
 method_toBytes=".toBytes"
 method_substring=".substring"
 method_substr=".substr"
 method_charCodeAt=".charCodeAt"
 method_codePointAt=".codePointAt"
 method_toLowerCase=".toLowerCase"
 method_toUpperCase=".toUpperCase"
 method_search=".search"
 method_replace=".replace"

 cat testcases_njs/var
 var a;

 cat testcases_njs/func
 a = (function(a) { return a + 1 }(2));
	description: http://lcamtuf.coredump.cx/afl/

	cmd:
	# ubuntu: apt-get install afl
	CC=afl-clang CFLAGS='-O0' ./configure && make njs
	afl-fuzz -i testcases_njs -o findings_njs -x njs.dict <path-to-njs-binary> -

	cat njs.dict
	keyword_arguments="arguments"
	keyword_break="break"
	keyword_case="case"
	keyword_catch="catch"
	keyword_const="const"
	keyword_continue="continue"
	keyword_debugger="debugger"
	keyword_decodeURI="decodeURI"
	keyword_default="default"
	keyword_delete="delete"
	keyword_do="do"
	keyword_else="else"
	keyword_escape="escape"
	keyword_eval="eval"
	keyword_export="export"
	keyword_finally="finally"
	keyword_for="for (a=0;a<2;a++)"
	keyword_function="function"
	keyword_if="if"
	keyword_in="in"
	keyword_instanceof="instanceof"
	keyword_isNaN="isNaN"
	keyword_let="let"
	keyword_new="new"
	keyword_parseInt="parseInt"
	keyword_return="return"
	keyword_switch="switch"
	keyword_this="this"
	keyword_throw="throw"
	keyword_try="try"
	keyword_typeof="typeof"
	keyword_var="var"
	keyword_void="void"
	keyword_while="while"
	keyword_with="with"

	misc_1=" 1"
	misc_a="a"
	misc_array=" [1]"
	misc_assign=" a=1"
	misc_code_block=" {1}"
	misc_colon_num=" 1:"
	misc_colon_string=" 'a':"
	misc_comma=" ,"
	misc_comment_block=" /* */"
	misc_comment_line=" //"
	misc_cond=" 1?2:3"
	misc_dec=" --"
	misc_div=" /"
	misc_equals=" ="
	misc_fn=" a()"
	misc_identical=" ==="
	misc_inc=" ++"
	misc_minus=" -"
	misc_modulo=" %"
	misc_parentheses=" ()"
	misc_parentheses_1=" (1)"
	misc_parentheses_1x4=" (1,1,1,1)"
	misc_parentheses_a=" (a)"
	misc_period="."
	misc_plus=" +"
	misc_plus_assign=" +="
	misc_regex=" /a/g"
	misc_rol=" <<<"
	misc_semicolon=" ;"
	misc_serialized_object=" {'a': 1}"
	misc_string=" 'a'"
	misc_unicode=" '\\u0001'"

	object_Array=" Array"
	object_Boolean=" Boolean"
	object_Date=" Date"
	object_Function=" Function"
	object_Infinity=" Infinity"
	object_Int8Array=" Int8Array"
	object_Math=" Math"
	object_NaN=" NaN"
	object_Number=" Number"
	object_Object=" Object"
	object_RegExp=" RegExp"
	object_String=" String"
	object_Symbol=" Symbol"
	object_false=" false"
	object_null=" null"
	object_true=" true"

	prop_charAt=".charAt"
	prop_concat=".concat"
	prop_constructor=".constructor"
	prop_destructor=".destructor"
	prop_length=".length"
	prop_match=".match"
	prop_proto=".__proto__"
	prop_prototype=".prototype"
	prop_slice=".slice"
	prop_toCode=".toCode"
	prop_toString=".toString"
	prop_valueOf=".valueOf"


	keyword_req="req"
	keyword_r="$r"
	keyword_some_method="some_method"
	keyword_header="header"
	keyword_host="host"
	keyword_uri="uri"
	keyword_isArray="isArray"
	keyword_undefined="undefined"
	keyword_yield="yield"
	keyword_parseFloat="parseFloat"
	keyword_encodeURI="encodeURI"
	keyword_encodeURIComponent="encodeURIComponent"
	keyword_decodeURIComponent="decodeURIComponent"

	prop_name="name"

	method_reduceRight=".reduceRight"
	method_sort=".sort"
	method_reduce=".reduce"
	method_map=".map"
	method_filter=".filter"
	method_every=".every"
	method_some=".some"
	method_forEach=".forEach"
	method_lastIndexOf=".lastIndexOf"
	method_indexOf=".indexOf"
	method_includes=".includes"
	method_join=".join"
	method_reverse=".reverse"
	method_splice=".splice"
	method_shift=".shift"
	method_unshift=".unshift"
	method_pop=".pop"
	method_push=".push"
	method_toJSON=".toJSON"
	method_setUTCFullYear=".setUTCFullYear"
	method_setFullYear=".setFullYear"
	method_setUTCMonth=".setUTCMonth"
	method_setMonth=".setMonth"
	method_setUTCDate=".setUTCDate"
	method_setDate=".setDate"
	method_setUTCHours=".setUTCHours"
	method_setHours=".setHours"
	method_setUTCMinutes=".setUTCMinutes"
	method_setMinutes=".setMinutes"
	method_setUTCSeconds=".setUTCSeconds"
	method_setSeconds=".setSeconds"
	method_setUTCMilliseconds=".setUTCMilliseconds"
	method_setMilliseconds=".setMilliseconds"
	method_setTime=".setTime"
	method_getTimezoneOffset=".getTimezoneOffset"
	method_getUTCMilliseconds=".getUTCMilliseconds"
	method_getMilliseconds=".getMilliseconds"
	method_getUTCSeconds=".getUTCSeconds"
	method_getSeconds=".getSeconds"
	method_getUTCMinutes=".getUTCMinutes"
	method_getMinutes=".getMinutes"
	method_getUTCHours=".getUTCHours"
	method_getHours=".getHours"
	method_getUTCDay=".getUTCDay"
	method_getDay=".getDay"
	method_getUTCDate=".getUTCDate"
	method_getDate=".getDate"
	method_getUTCMonth=".getUTCMonth"
	method_getMonth=".getMonth"
	method_getUTCFullYear=".getUTCFullYear"
	method_getFullYear=".getFullYear"
	method_getTime=".getTime"
	method_toISOString=".toISOString"
	method_toUTCString=".toUTCString"
	method_toLocaleTimeString=".toLocaleTimeString"
	method_toLocaleDateString=".toLocaleDateString"
	method_toLocaleString=".toLocaleString"
	method_toTimeString=".toTimeString"
	method_toDateString=".toDateString"
	method_bind=".bind"
	method_apply=".apply"
	method_call=".call"
	method_tan=".tan"
	method_sqrt=".sqrt"
	method_sin=".sin"
	method_round=".round"
	method_random=".random"
	method_pow=".pow"
	method_min=".min"
	method_max=".max"
	method_log=".log"
	method_floor=".floor"
	method_exp=".exp"
	method_cos=".cos"
	method_ceil=".ceil"
	method_atan2=".atan2"
	method_atan=".atan"
	method_asin=".asin"
	method_acos=".acos"
	method_abs=".abs"
	method_SQRT2=".SQRT2"
	method_LN2=".LN2"
	method_exec=".exec"
	method_test=".test"
	method_fromUTF8=".fromUTF8"
	method_toUTF8=".toUTF8"
	method_fromBytes=".fromBytes"
	method_toBytes=".toBytes"
	method_substring=".substring"
	method_substr=".substr"
	method_charCodeAt=".charCodeAt"
	method_codePointAt=".codePointAt"
	method_toLowerCase=".toLowerCase"
	method_toUpperCase=".toUpperCase"
	method_search=".search"
	method_replace=".replace"

	cat testcases_njs/var
	var a;

	cat testcases_njs/func
	a = (function(a) { return a + 1 }(2));