|Main Archive Page > Month Archives > full-disclosure-uk archives|
Well Pete, you are certainly entitled to your opinion. And in regard to the comment about bf2 having no automation.. the fact is, it does: every fuzz page contains refresh code for the next, allowing the fuzzing process to be completely automated. BF2 needs no defense-- from its conception it has proved very useful. Don't like it? Trash it.
Pete Licoln wrote:
> Hi Jeremy,
> I think this fuzzer is useless, and doesn't have any kind of innovation.
> This fuzzer acts as a cheap binary fuzzer, without any automation on
> the targeted browser, like your others fuzzers you've wrote.
> There's severals DOM CSS DHTML fuzzers written in JS way more
> powerfull, did you heard about them ?
> Next time take some times before releasing such useless stuff.
> 2009/1/31 Krakow Labs <firstname.lastname@example.org <mailto:email@example.com>>
> That is one point I would like to get across: fuzzing doesn't have
> to be
> and frequently isn't random, no matter how much the wikis copy its
> 'definition'. The fuzzing oracle is the heart of the fuzzing process,
> and making sure it is adequate to check for bugs is, I feel, a key to
> being successful when fuzzing. I understand that near complete
> randomness can be effective as demonstrated with mangleme, etc, but I
> rarely choose that approach when working on projects; I just do not
> think of it as a huge benefit. And the number of fuzzing files is
> limited to the functions and tags and to the fuzzing oracle, all of
> which can be modified and rearranged. Information, information,
> information :)
> You did ask some good questions, thanks for your input.
> webDEViL wrote:
> > Hello Jeremy,
> > I am in no way trying to criticise your work, just had a few
> > that I had to ask :)
> > Your fuzzers are like meant to be run only once, cause pretty much
> > everyone will have the same files created.
> > Why isnt there any randomness in creating the fuzzed files?
> > bf2[phase four] JS Process Complete (Final Count: 8004).
> > Well I am saying that your fuzzer will die, in like a day, cause the
> > number of files is finite and very few in number.
> > Whats the point with such fuzzers being released to the community?
> > Regards,
> > webDEViL
> > On Fri, Jan 30, 2009 at 11:14 PM, Krakow Labs
> <firstname.lastname@example.org <mailto:email@example.com>
> > <mailto:firstname.lastname@example.org <mailto:email@example.com>>> wrote:
> > Krakow Labs Development
> > Browser Fuzzer 2 (bf2) is a comprehensive web browser fuzzer
> > fuzzes
> > bf2 is available @ www.krakowlabs.com
> <http://www.krakowlabs.com> <http://www.krakowlabs.com>
> > <http://www.krakowlabs.com>
> > -KL
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/