View RSS Feed

amolnaik4

7 Reasons Why You Should Invest in Browser Fuzzing

Rating: 2 votes, 2.00 average.
Name:  fuzz.jpg
Views: 2477
Size:  17.5 KB

Fuzzing is the process to provide invalid, unexpected input to the application and monitors for crashes. The process can be automated or semi-automated. Fuzzing reveals security bugs which might missed during code audits.

Fuzzing is the black-box approach which do not need any source code. After identifying input methods, one can send invalid, random inputs and look for a testcase which crashes application.

I was involved in fuzzing browsers for some time and here are my reasons why you should start fuzzing:

1. Sense of Security
Fuzzing discovers security bugs. In case of browser fuzzing, the bugs found are Use-After-Free, heap Overflow, etc. Some of these bugs are capable of executing arbitrary code and can compromise victim's machine. Discovering these kind of bugs & disclosure to the vendor to create patch ensures security of the application.

2. Who wants Money
Bugs in browsers have huge value in the security world simply due to the fact that the one bug can own many victim as browsers are the most widely used application. There are compititions like Pwn2Own which focuses on Browser exploitation and have USD 100,000 as prize. Vendors like Google & Firefox has their own bounty program for disclosing bugs to them. There are other vendors like ZDI, iDefense which pays you based ont the criticallity of the bug. Look at the price money for full exploits. Chrome & Internet Explorer exploits can pay off from USD 80,000 till USD 200,000.
(http://www.forbes.com/sites/andygree...ware-exploits/)

3. Can you code Javascript
Javascript is one of the main component in the browser. If you know javascript, it's easy to code a fuzzer for use-after-free & heap overflow bugs. These fuzzers will generate testcases which can crash browsers. Using Javascript API, one can code a program to create elements, assign attributes to them, perform some operations like defining DOM ranges, exeuting execCommands, etc. The best part is you just need browser to code the stuff.

4. Debugging - The new learning
Once you have a testcase which crashes browser, then comes the analysis part. Debuggers like windbg, Immunity Debugger helps you to understand the cause of the bug and to find the exploitibily. Knowledge of the assembly language is essential for this. Things like LFH, heap spray will help you to take control of dangling pointer in case of UAF vulnerbality. This is all new path of new learning and exploring things in low-level language. If you think you done with the things you working on for long time and like to take challenges, learning assembly, debugging techniques gives you completely new learning stage.

5. Is the product Robust
Robustness can be defined as an ability to tolerate exceptional inputs & stressful environmental conditions. Software is not robust if it fails when
facing such circumstances. Attackers can take advantage of robustness problems
and compromise the system running the software. Fuzzing can be useful as robustness tesing using negative testing with random or semi-random inputs.

6. eip = 41414141 [The Goal - Calculator]
These sort of memmory corruption would lead in code executions and that is a lot of money and fame . When the attacker controls the program flow, the ultimate target is to launch new program using shellcode. For proof-of-control, the researchers always use calc.exe. Poping up calculator from brower just by visiting a webpage. This is like dream come true and the ultimate Goal.

7. Bypass the Sandbox
Now a days, most of the browsers comes with sandbox. Browser sandbox builds a contained envirnment which restrict access to other computer resources from the exploit. This means even if you have an exploit for browser, without bypassing sandbox, it's not going to do anything to victim's computer. Bypass the sandbox and win USD 200,000.

If you dream of doing things like these, Fuzzing is where you need to start.

I'm planning to talk about my experience, process I used & bugs I discovered in upcoming security conferences. Hope to see you there.

AMol NAik

Updated 08-13-2014 at 04:24 PM by amolnaik4

Tags: fuzzing Add / Edit Tags
Categories
Uncategorized

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: