For example :
when html5 comes , Firefox added html5 features to itself too.  and a clever Attacker could recognizing  this change and we will be able to find Security holes .

for more information please read :

w3.org publish paper with this title: HTML 5 differences from HTML 4
http://www.w3.org/TR/2009/WD-html5-diff-20090212/
and take HTML5 Overview :
http://dev.w3.org/html5/spec/Overview.html

please  pay attention to differences between FF3 & FF3.5 :

These changes include support for the <video> and <audio> tags as defined in the HTML 5 specification, with a goal to offer video playback without being encumbered by patent issues associated with many video technologies.

Cross-site XMLHttpRequests (XHR), which can allow for more powerful web applications and an easier way to implement mashups, are also implemented in 3.5.

A new global JSON object contains native functions to efficiently and safely serialize and deserialize JSON objects, as specified by the ECMAScript 3.1 draft.

Full CSS 3 selector support has been added. Firefox 3.5 uses the Gecko 1.9.1 engine, which includes a few features that were not included in the 3.0 release. Multi-touch support was also added to the release, including gesture support like pinching for zooming and swiping for back and forward.

and then milw0rm.com publish new exploit in “Firefox font tag !”
http://www.milw0rm.com/exploits/9137

we are not bloodsucker , we try to act like a  real hacker , Real hacker (Pen-tester i mean)  think about how to find  this type of bug .

since we know about all of  new  features in  new web browsers  such as of FF  and we can test features as a security researcher as well.

Browser Vulnerability Assessment  has tree  step :

1 – Find HTML or XML or javascript <tag> browser can support , for example :
http://msdn.microsoft.com/en-us/library/ms533050%28VS.85%29.aspx [IE]

2- find  Properties , Methods , Collections , Events ,Constants , Prototypes , HTML Elements for each <tag> .

3- misuse property of <tag> or fuzzed tag for buffer-overflow and other memory corruption vulnerabilities (in this case)

for example :
we want find memory corruption vulnerability using ,  unbound check in  <font> tag,  in  Internet explorer 8 !:
<font color=”#727272″>test</font>

take a look at  “MSDN” :
http://msdn.microsoft.com/en-us/library/ms535248%28VS.85%29.aspx

second : find “Attribute” and “property” of <font> tag , such as :
‘color’, ‘face’, ‘size’, ‘class’, ‘id’, ‘style’, ‘title’, ‘dir’, ‘lang’, ‘accesskey’, ‘tabindex’

third  : build random character for “overflows ” , “FormatString”  , and other memory corruptions …

for example to be more clear i wrote a really basic fuzzer in python :

(for sure this is not a commercial fuzzer)

# Abysssec Inc public material
# Simple Browser Fuzzer
# www.Abysssec.com
#garbage char
overflows = ['A' * 10, 'A' * 20, 'A' * 100, 'A' * 200]
fmtstring = ['%n%n%n%n%n', '%p%p%p%p%p', '%s%s%s%s%s', '%d%d%d%d%d', '%x%x%x%x%x']
numbers   = ['0', '-0', '1', '-1', '32767', '-32768', '2147483647', '-2147483647', '2147483648', '-2147483648']
 
# FONT property
fontpropery = ['color', 'face', 'size', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex']
 
#basic Automated Fuzzer :
i = 0 
 
for x in fontpropery:
     for y in overflows:
    	tag = "<span>TEST</span>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()
 
     for y in fmtstring:
    	tag =  "<span>TEST</span>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()
 
     for y in numbers:
    	tag =  "<span>TEST</span>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()

for start fuzzing , add refresh page with next page . [for start fuzz click 1.html]

another way :

“Jeremy Brown”  developed this a fuzzer for general browser fuzzing” :

1. Written in PERL
2. CSS/DOM/HTML/JS fuzzing comprehensive
3. Specialized functions for fuzz page generation & writing
4. Decent file structure easily supporting add/del/modification
5. 3rd generation [unlimited style, web] fuzzing oracle implemented

http://www.krakowlabs.com/dev/fuz/bf2/bf2.pl.txt

this fuzzer is good but it’s really simple too and can’t find new vulnerabilities without modifying but   you can extend it for new method of browser <tag > fuzz .

more info :

http://www.krakowlabs.com/dev/fuz/bf2/bf2_doc.txt

Browser Auditing :

browser source code auditing  is actually white-box testing  and only is useful when you have  an open source browser like  Firefox  and …. .

source code auditing is really practical , but need higher then  knowledge in programming (always C/C++)
for example , in firefox :
you can download all versions  source code from here :
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases

more source code of FF written by C++ , my interested  C++ source code Auditor is : CPPcheck
http://sourceforge.net/apps/mediawiki/cppcheck

Important point that we understand from this Post :
why we can’t found bugs from this ways ?
i try to answer this question in future post .

————————————————————-

and this write-up is for  tell you we are “not dead”

wait for out new advisories + exploits soon as soon possible

god speed you

Daphne
———–
unfortunately , we had mistake in our simple fuzzer , now edit & repaired .
thanks .
Daphne /