Fuzz
Commodity Injection Signatures, Malicious Inputs, XSS, HTTP Header Injection, XXE, RCE, Javascript, XSLT
Install / Use
/learn @xsscx/FuzzREADME
Fuzz Corpus — Commodity Injection Signatures & CVE PoCs
Curated corpus of 1,139 malicious input files (201 MB) for security testing. Originally created as "Commodity-Injection-Signatures" by David Hoyt (hoyt.net, srd.cx, xss.cx), maintained since 2015.
Contents
| Category | Files | Size | Description |
|----------|------:|-----:|-------------|
| graphics/icc/ | 95 | 6 MB | ICC CVE PoCs (CVE-2022-26730, CVE-2023-46602, CVE-2024-38427) |
| graphics/jpg/ | 208 | 42 MB | Malformed JPEG files |
| graphics/png/ | 200 | 34 MB | Malformed PNG files |
| graphics/tif/ | 267 | 45 MB | Malformed TIFF files |
| graphics/gif/ | 35 | — | Malformed GIF files |
| graphics/heic/ | 9 | — | Malformed HEIC files |
| graphics/bmp/ | 10 | — | Malformed BMP files |
| graphics/exr/ | 4 | — | Malformed OpenEXR files |
| xml/icc/ | 42 | — | ICC XML crash PoCs |
| xml/icc/minimized/ | 74 | — | AFL-minimized ICC XML crashes |
| xml/xxe/ | 10+ | — | XXE entity injection PoCs |
| Web injection | 80+ | — | XSS, SQLi, SSI, LFI, SSRF, XSLT signatures |
ICC Profile CVE Coverage
| CVE | Files | CWE | Affected Software | |-----|------:|-----|-------------------| | CVE-2022-26730 | 11 | CWE-787 | Apple ColorSync | | CVE-2023-32443 | 2 | CWE-125 | Apple ColorSync | | CVE-2023-46602 | 1 | CWE-122 | iccDEV (formerly DemoIccMAX) | | CVE-2023-46867 | 1 | CWE-126 | ArgyllCMS | | CVE-2024-38427 | 1 | CWE-122 | iccDEV (formerly DemoIccMAX) |
References:
- https://srd.cx/cve-2022-26730/
- https://srd.cx/cve-2023-32443/
- iccDEV
Integration with CFL Fuzzers
ICC profiles seed the CFL LibFuzzer harnesses:
# Seed binary ICC fuzzers
cp fuzz/graphics/icc/*.icc cfl/corpus-icc_profile_fuzzer/
# Seed XML fuzzer
cp fuzz/xml/icc/*.xml cfl/corpus-icc_fromxml_fuzzer/
cp fuzz/xml/icc/minimized/* cfl/corpus-icc_fromxml_fuzzer/
See CFL instructions for full fuzzing workflow.
Suggested Use
- CFL fuzzer seeding — Primary ICC PoC source for LibFuzzer harnesses
- iccanalyzer-lite testing — Security heuristic validation against known-bad profiles
- Burp Intruder payloads — Web injection signature files
- Manual injection testing — Well-known XSS/SQLi/XXE signatures
- Image decoder fuzzing — Malformed graphics files for ImageIO/Skia/WebKit
- XNU/Windows/Linux testing — Platform-specific crash vectors
File Naming Convention
ICC PoCs: {crash_type}-{Class}-{Method}-{File}_cpp-Line{N}.icc
- Crash types:
hbo(heap overflow),sbo(stack overflow),segv(SIGSEGV),oom(out-of-memory),ub(undefined behavior),npd(null deref)
CVE PoCs: cve-{YYYY}-{NNNNN}-{description}-variant-{NNN}.icc
Recent Additions
- CFL-discovered crash samples (repo root
crash-*,oom-*,slow-unit-*) - CVE-2024-38427 ICC Color Profile PoCs
- AFL-minimized ICC XML crash corpus (74 samples)
- XNU Crash Helpers for Apple Security Research Device
Contributing
Setup a PR. All malicious input accepted.
Happy Hunting!!
