Sparkplug B Protocol Fuzzing with AI Assistance

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://bishopfox.com/blog/sparkplug-b-protocol-fuzzing-with-ai-assistance
• Blog Title: Sparkplug B Protocol Fuzzing with AI Assistance
• Suggested Section: Network Services Pentesting > 1883 - Pentesting MQTT (Mosquitto) > Sparkplug B ICS/SCADA reconnaissance and fuzzing

🎯 Content Summary

Title: Sparkplug B Protocol Fuzzing with AI Assistance

Core idea: Bishop Fox built and released an AI-assisted security fuzzer for Sparkplug B, an open MQTT-based Eclipse Foundation specification used in ICS/SCADA and Unified Namespace (UNS) environments. The post does not describe a CVE or a single confirmed product vulnerability; instead, it explains a practical protocol-fuzzing tool and methodology for finding implementation bugs such as crashes, malformed-messag...

🔧 Technical Details

Sparkplug B protocol fuzzing over MQTT: A tester can fuzz Sparkplug B implementations by publishing valid and invalid messages under the namespace spBv1.0/{group_id}/{message_type}/{edge_node_id}/{device_id}. Because Sparkplug B relies on strict lifecycle ordering, typed protobuf metrics, aliases, and sequence numbers, malformed traffic can expose crashes, parser failures, state corruption, unsafe command acceptance, and incorrect handling of device birth/death state.

Raw protobuf corruption for negative testing: Helper libraries often prevent invalid Sparkplug B payloads from being constructed. To reach vulnerable parsing paths, generate valid baseline messages with high-level helpers such as sparkplug_b, then directly mutate protobuf structures with sparkplug_b_pb2. This enables testing malformed fields, invalid nested structures, corrupted binary protobuf data, and values rejected by normal client libraries.

Metr...

🤖 Agent Actions

Done.

Updated:

• src/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md

Added:

• A new Sparkplug B ICS/SCADA reconnaissance and fuzzing section
• Passive recon via spBv1.0/# / STATE/#
• Protocol-aware fuzz cases: namespace fuzzing, lifecycle violations, type mismatches, alias rebinding, sequence abuse, raw protobuf corruption
• Short usage examples for the Bishop Fox sparkplugFuzzer
• Technical validation/detection checks
• References to the blog, tool repo, Sparkplug spec, and protobuf definition

Validation:

• Checked final diff and basic markdown invariants
• mdbook build could not be run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://bishopfox.com/blog/sparkplug-b-protocol-fuzzing-with-ai-assistance

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting > 1883 - Pentesting MQTT (Mosquitto) > Sparkplug B ICS/SCADA reconnaissance and fuzzing".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0