writing a Browser fuzzer !!!

Hello all
in this post , i wanna talk about web browser Fuzzing  and auditing.
web browsers , such as FireFox , Opera , Internet Explorer  and etc .. , are very convertible with new web technologies.

For example :
when html5 comes , Firefox added html5 features to itself too.  and a clever Attacker could recognizing  this change and we will be able to find Security holes .

for more information please read :

w3.org publish paper with this title: HTML 5 differences from HTML 4
http://www.w3.org/TR/2009/WD-html5-diff-20090212/
and take HTML5 Overview :
http://dev.w3.org/html5/spec/Overview.html

please  pay attention to differences between FF3 & FF3.5 :

These changes include support for the <video> and <audio> tags as defined in the HTML 5 specification, with a goal to offer video playback without being encumbered by patent issues associated with many video technologies.

Cross-site XMLHttpRequests (XHR), which can allow for more powerful web applications and an easier way to implement mashups, are also implemented in 3.5.

A new global JSON object contains native functions to efficiently and safely serialize and deserialize JSON objects, as specified by the ECMAScript 3.1 draft.

Full CSS 3 selector support has been added. Firefox 3.5 uses the Gecko 1.9.1 engine, which includes a few features that were not included in the 3.0 release. Multi-touch support was also added to the release, including gesture support like pinching for zooming and swiping for back and forward.

and then milw0rm.com publish new exploit in “Firefox font tag !”
http://www.milw0rm.com/exploits/9137

we are not bloodsucker , we try to act like a  real hacker , Real hacker (Pen-tester i mean)  think about how to find  this type of bug .

since we know about all of  new  features in  new web browsers  such as of FF  and we can test features as a security researcher as well.

Browser Vulnerability Assessment  has tree  step :

1 – Find HTML or XML or javascript <tag> browser can support , for example :
http://msdn.microsoft.com/en-us/library/ms533050%28VS.85%29.aspx [IE]

2- find  Properties , Methods , Collections , Events ,Constants , Prototypes , HTML Elements for each <tag> .

3- misuse property of <tag> or fuzzed tag for buffer-overflow and other memory corruption vulnerabilities (in this case)

for example :
we want find memory corruption vulnerability using ,  unbound check in  <font> tag,  in  Internet explorer 8 !:
<font color=”#727272″>test</font>

take a look at  “MSDN” :
http://msdn.microsoft.com/en-us/library/ms535248%28VS.85%29.aspx

second : find “Attribute” and “property” of <font> tag , such as :
‘color’, ‘face’, ‘size’, ‘class’, ‘id’, ‘style’, ‘title’, ‘dir’, ‘lang’, ‘accesskey’, ‘tabindex’

third  : build random character for “overflows ” , “FormatString”  , and other memory corruptions …

for example to be more clear i wrote a really basic fuzzer in python :

(for sure this is not a commercial fuzzer)

# Abysssec Inc public material
# Simple Browser Fuzzer
# Abysssec.com
#garbage char
overflows = ['A' * 10, 'A' * 20, 'A' * 100, 'A' * 200]
fmtstring = ['%n%n%n%n%n', '%p%p%p%p%p', '%s%s%s%s%s', '%d%d%d%d%d', '%x%x%x%x%x']
numbers   = ['0', '-0', '1', '-1', '32767', '-32768', '2147483647', '-2147483647', '2147483648', '-2147483648']
 
# FONT property
fontpropery = ['color', 'face', 'size', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex']
 
#basic Automated Fuzzer :
i = 0 
 
for x in fontpropery:
     for y in overflows:
    	tag = "<span>TEST</span>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()
 
     for y in fmtstring:
    	tag =  "<span>TEST</span>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()
 
     for y in numbers:
    	tag =  "<span>TEST</span>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()

for start fuzzing , add refresh page with next page . [for start fuzz click 1.html]

another way :

“Jeremy Brown”  developed this a fuzzer for general browser fuzzing” :

  1. Written in PERL
  2. CSS/DOM/HTML/JS fuzzing comprehensive
  3. Specialized functions for fuzz page generation & writing
  4. Decent file structure easily supporting add/del/modification
  5. 3rd generation [unlimited style, web] fuzzing oracle implemented

http://www.krakowlabs.com/dev/fuz/bf2/bf2.pl.txt

this fuzzer is good but it’s really simple too and can’t find new vulnerabilities without modifying but   you can extend it for new method of browser <tag > fuzz .

more info :

http://www.krakowlabs.com/dev/fuz/bf2/bf2_doc.txt

Browser Auditing :

browser source code auditing  is actually white-box testing  and only is useful when you have  an open source browser like  Firefox  and …. .

source code auditing is really practical , but need higher then  knowledge in programming (always C/C++)
for example , in firefox :
you can download all versions  source code from here :
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases

more source code of FF written by C++ , my interested  C++ source code Auditor is : CPPcheck
http://sourceforge.net/apps/mediawiki/cppcheck

Important point that we understand from this Post :
why we can’t found bugs from this ways ?
i try to answer this question in future post .

————————————————————-

and this write-up is for  tell you we are “not dead”

wait for out new advisories + exploits soon as soon possible

god speed you

Daphne
———–
unfortunately , we had mistake in our simple fuzzer , now edit & repaired .
thanks .
Daphne /

4 Responses to this post.

  1. Posted by aMIr on 21.08.09 at 7:42 pm

    Nice writeup,
    as you said it’s not a commercial fuzzer and certainly not a general purpose fuzzer.
    browser security assessment isn’t narrowed to javascript, HTML and XML . there are a bunch of other attack vectors such as image rendering libraries(JPEG, PNG, GIF, etc.) to fuzz/assessment too. though they are not actually needed for a special-purpose and non-commercial fuzzer that has been written privately for some testing purpose, cause these codes aren’t ready to use or run and BOOM tools. your fuzzer should do good at fuzzing of FONT as a PoC.

    I have some opinion, if you like:
    1) your ‘overflows’ list have small length, try some more char length too.
    2) your ‘overflows’ list is only filled with ‘A’ char, try some other chars too. because of some triggery reasons.
    3) try some non-printable and unicode chars too !
    4) try fuzzed property/values too. it’ll be more accurate in some places!

    cool to see these actions :)
    that was all,
    cheers
    ———————–
    hi amir
    i’m much agree by your Suggestions .
    Especially with the Unicode part and image rendering library .
    in future post , i will write about these .
    Have good days
    Daphne

  2. Posted by Anaconda on 21.08.09 at 7:42 pm

    good post for begineers!!!
    =================
    Hi dear .
    thanks , This is fundamental , not simple !
    Daphne

  3. Posted by boxer on 21.08.09 at 7:42 pm

    hi
    i want to know how to find the getElementsByTagName(“p”) in firefox or in IE

    where to find in firefox.exe or in browser

    mention the step(like as we look in exe we use olly,IDA pro)

    mean how to look in browser so that i can update fuzzer with current firefox
    that we had update the fuzzer as new update browser release

  4. Posted by boxer on 21.08.09 at 7:42 pm

    how to find these getElementsByTagName(“p”) in firefox should be look in browser or in exe where to find ?

    and also where to find in IE or opera
    one more question how do we came to know that

    which browser is using which HTML 5 or HTML 4

    boxer

Get Adobe Flash playerPlugin by wpburn.com wordpress themes