full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Browser Fuzzer 2

Re: [Full-disclosure] Browser Fuzzer 2

From: Krakow Labs <krakowlabs_at_nospam>
Date: Sat Jan 31 2009 - 22:12:39 GMT
To: full-disclosure@lists.grok.org.uk


Well Pete, you are certainly entitled to your opinion. And in regard to the comment about bf2 having no automation.. the fact is, it does: every fuzz page contains refresh code for the next, allowing the fuzzing process to be completely automated. BF2 needs no defense-- from its conception it has proved very useful. Don't like it? Trash it.

Pete Licoln wrote:
> Hi Jeremy,
>
> I think this fuzzer is useless, and doesn't have any kind of innovation.
> This fuzzer acts as a cheap binary fuzzer, without any automation on
> the targeted browser, like your others fuzzers you've wrote.
> There's severals DOM CSS DHTML fuzzers written in JS way more
> powerfull, did you heard about them ?
>
> Next time take some times before releasing such useless stuff.
>
>
> Regards
>
>
>
> 2009/1/31 Krakow Labs <krakowlabs@gmail.com <mailto:krakowlabs@gmail.com>>
>
> That is one point I would like to get across: fuzzing doesn't have
> to be
> and frequently isn't random, no matter how much the wikis copy its
> 'definition'. The fuzzing oracle is the heart of the fuzzing process,
> and making sure it is adequate to check for bugs is, I feel, a key to
> being successful when fuzzing. I understand that near complete
> randomness can be effective as demonstrated with mangleme, etc, but I
> rarely choose that approach when working on projects; I just do not
> think of it as a huge benefit. And the number of fuzzing files is
> limited to the functions and tags and to the fuzzing oracle, all of
> which can be modified and rearranged. Information, information,
> information :)
>
> You did ask some good questions, thanks for your input.
>
> webDEViL wrote:
> > Hello Jeremy,
> >
> > I am in no way trying to criticise your work, just had a few
> questions
> > that I had to ask :)
> >
> > Your fuzzers are like meant to be run only once, cause pretty much
> > everyone will have the same files created.
> > Why isnt there any randomness in creating the fuzzed files?
> > bf2[phase four] JS Process Complete (Final Count: 8004).
> >
> > Well I am saying that your fuzzer will die, in like a day, cause the
> > number of files is finite and very few in number.
> > Whats the point with such fuzzers being released to the community?
> >
> >
> >
> > Regards,
> > webDEViL
> >
> >
> > On Fri, Jan 30, 2009 at 11:14 PM, Krakow Labs
> <krakowlabs@gmail.com <mailto:krakowlabs@gmail.com>
> > <mailto:krakowlabs@gmail.com <mailto:krakowlabs@gmail.com>>> wrote:
> >
> > Krakow Labs Development
> >
> > Browser Fuzzer 2 (bf2) is a comprehensive web browser fuzzer
> that
> > fuzzes
> > CSS, DOM, HTML and JavaScript.
> >
> > bf2 is available @ www.krakowlabs.com
> <http://www.krakowlabs.com> <http://www.krakowlabs.com>
> > <http://www.krakowlabs.com>
> >
> > -KL
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/