A fuzzer for automatically discovering vulnerabilities in JavaScript sandboxes.
Detects Client/Server side Sandbox Escape.
- Python 3.8+
- Node.js 20+
- Chromium (for Playwright)
# Node.js packages
npm install
# Python packages
pip install flask playwright
playwright install chromium
# If you see `externally-managed-environment`, please use a virtual environment (venv).SandVenture/
├── SFuzzer.py # Main entry point (server-side fuzzer)
├── CFuzzer.py # Client-side fuzzer (Playwright-based)
├── utils.py # Core logic: code generation, execution, result analysis
│
├── instromentor.js # AST instrumentor for seed execution
├── minstromentor.js # AST instrumentor for mutation execution
├── mutation.js # AST mutation engine
├── makeJson-corpus.js # Extracts AST nodes from JS files into json_corpus
│
├── corpus/ # Seed JS files
├── json_corpus/ # AST node JSON files used by mutation engine
│
├── property_list_strategy1.txt # JS expression list for Stage 1
├── property_list_strategy2.txt # JS expression list for Stage 2
│
├── sandbox_tpl_server_side/ # Sandbox runner templates
│ └── <sandbox_name>/
│ └── run-<sandbox_name>.js
│
├── Server/ # Flask server for client-side sandbox testing
│ ├── app.py
│ ├── static/
│ └── templates/
│
└── log/ # Detection results saved here
├── internal/log/
├── external/log/
├── corpus_output/log/
├── mutation/log/
├── client_S4_log/
├── client_S5_log/
└── client_S6_log/
node makeJson-corpus.js <corpus_dir> <output_dir>
# Example
node makeJson-corpus.js ./corpus ./json_corpuspython SFuzzer.py <num_cores> <sandbox_name>
# Example
python SFuzzer.py 4 vm2# Terminal 1
cd Server && python app.py
# Terminal 2
python CFuzzer.py