Comments on: writing a Browser fuzzer !!! http://www.abysssec.com/blog/2009/08/how-to-write-browser-fuzzer/ Security Researches , Advisories , Coding , Projects , Reversing , Exploitation , Fuzzing Sat, 27 Mar 2010 17:03:44 +0000 hourly 1 http://wordpress.org/?v=abc By: boxer http://www.abysssec.com/blog/2009/08/how-to-write-browser-fuzzer/comment-page-1/#comment-5215 boxer Mon, 31 Aug 2009 03:48:37 +0000 http://www.abysssec.com/blog/?p=368#comment-5215 how to find these getElementsByTagName("p") in firefox should be look in browser or in exe where to find ? and also where to find in IE or opera one more question how do we came to know that which browser is using which HTML 5 or HTML 4 boxer how to find these getElementsByTagName(“p”) in firefox should be look in browser or in exe where to find ?

and also where to find in IE or opera
one more question how do we came to know that

which browser is using which HTML 5 or HTML 4

boxer

]]> By: boxer http://www.abysssec.com/blog/2009/08/how-to-write-browser-fuzzer/comment-page-1/#comment-5214 boxer Sat, 29 Aug 2009 05:49:06 +0000 http://www.abysssec.com/blog/?p=368#comment-5214 hi i want to know how to find the getElementsByTagName("p") in firefox or in IE where to find in firefox.exe or in browser mention the step(like as we look in exe we use olly,IDA pro) mean how to look in browser so that i can update fuzzer with current firefox that we had update the fuzzer as new update browser release hi
i want to know how to find the getElementsByTagName(“p”) in firefox or in IE

where to find in firefox.exe or in browser

mention the step(like as we look in exe we use olly,IDA pro)

mean how to look in browser so that i can update fuzzer with current firefox
that we had update the fuzzer as new update browser release

]]> By: Anaconda http://www.abysssec.com/blog/2009/08/how-to-write-browser-fuzzer/comment-page-1/#comment-5213 Anaconda Wed, 26 Aug 2009 06:37:34 +0000 http://www.abysssec.com/blog/?p=368#comment-5213 good post for begineers!!! ================= Hi dear . thanks , This is fundamental , not simple ! Daphne good post for begineers!!!
=================
Hi dear .
thanks , This is fundamental , not simple !
Daphne

]]> By: aMIr http://www.abysssec.com/blog/2009/08/how-to-write-browser-fuzzer/comment-page-1/#comment-5210 aMIr Sat, 22 Aug 2009 18:03:33 +0000 http://www.abysssec.com/blog/?p=368#comment-5210 Nice writeup, as you said it's not a commercial fuzzer and certainly not a general purpose fuzzer. browser security assessment isn't narrowed to javascript, HTML and XML . there are a bunch of other attack vectors such as image rendering libraries(JPEG, PNG, GIF, etc.) to fuzz/assessment too. though they are not actually needed for a special-purpose and non-commercial fuzzer that has been written privately for some testing purpose, cause these codes aren't ready to use or run and BOOM tools. your fuzzer should do good at fuzzing of FONT as a PoC. I have some opinion, if you like: 1) your 'overflows' list have small length, try some more char length too. 2) your 'overflows' list is only filled with 'A' char, try some other chars too. because of some triggery reasons. 3) try some non-printable and unicode chars too ! 4) try fuzzed property/values too. it'll be more accurate in some places! cool to see these actions :) that was all, cheers ----------------------- hi amir i'm much agree by your Suggestions . Especially with the Unicode part and image rendering library . in future post , i will write about these . Have good days Daphne Nice writeup,
as you said it’s not a commercial fuzzer and certainly not a general purpose fuzzer.
browser security assessment isn’t narrowed to javascript, HTML and XML . there are a bunch of other attack vectors such as image rendering libraries(JPEG, PNG, GIF, etc.) to fuzz/assessment too. though they are not actually needed for a special-purpose and non-commercial fuzzer that has been written privately for some testing purpose, cause these codes aren’t ready to use or run and BOOM tools. your fuzzer should do good at fuzzing of FONT as a PoC.

I have some opinion, if you like:
1) your ‘overflows’ list have small length, try some more char length too.
2) your ‘overflows’ list is only filled with ‘A’ char, try some other chars too. because of some triggery reasons.
3) try some non-printable and unicode chars too !
4) try fuzzed property/values too. it’ll be more accurate in some places!

cool to see these actions :)
that was all,
cheers
———————–
hi amir
i’m much agree by your Suggestions .
Especially with the Unicode part and image rendering library .
in future post , i will write about these .
Have good days
Daphne

]]>