Mayhem Blog

Here's a way to authenticate Mayhem for API to the target and enable it to exercise more endpoints as well as maximize coverage.

Open source software is mission critical, but its security is severely under-tested. As part of Phase 1, ForAllSecure has offered up to $2 million to meet these needs with its Mayhem Heroes program. Jacob is one of those heroes.

The Mayhem UI will reveal further insight into the behavior of a crashed binary as a result of the particular input test case.

You've seen what Mayhem for API can do in a demo. Now it's time to fuzz your own! To start testing an API, you only need to provide two things: a specification describing the API, and a URL where it can be reached.

You could, of course, sell your skillz to the dark web. Or you could legitimately report what you find and get paid to do so. You might even travel the world. In this episode of The Hacker Mind, I return to Episode 7 with Tim Becker, Episode 9 with Stok, and Episode 22 with Jack Cable to get their perspective on leaving 1337 skillz while getting paid by various bug bounty programs.

The Mayhem UI can create, manage, and analyze their Mayhem fuzzing runs on containerized applications, or targets, residing within Docker images that have been uploaded to the public Docker Hub registry.

By running Mayhem, we uncovered an uncontrolled memory allocation (CWE 789) and reported it as CVE-2022-35922

"Mayhem was able to crash a handful of well-funded software projects ... vulnerabilities in those smaller projects that don’t receive enough scrutiny yet are (indirectly) used in countless other critical projects" - Raj Shah

Mayhem can analyze compiled binaries written in languages like C/C++, Go, Rust, Java, and Python that read from a file, standard input, or from the network via a TCP or UDP socket. Mayhem also handles user-land (containerized) Linux applications.