2014_EN_BrowserFuzzing_RosarioValotta

Recommendations

Info

FUZZing with XHR (1/2) Similar considerations also apply to web sockets network calls • A Lot more race conditions may be triggered using XMLHttpRequests • XHRs can be synch (deprecated) or asynch operations • XHRs state can be monitored using some event listeners: • readystatechange, progress, abort, error, load, timeout, loadend • An xhr object must not be garbage collected if its state is opened and the send flag is set or its state is loading or it has one or more event listeners registered Create xhr object Open xhr Send xhr Execute callback Xhr dangling references Add listener force GC Unload/reload document removeEventListener Redefine XHR In order to trigger GC before callback returns you can rely on synch events
FUZZing with XHR (2/2) Similar considerations also apply to web sockets network calls • A race condition may happen If your callback code relies on some object/function that has been GC’ed or is uninitialized at the moment of callback execution • E.g. Suppose your callback code executes some mutation operations on an object bound to xhr and you’re running multiple concurrent xhr calls Create xhr#1 object Open xhr#1 Send xhr#1 Execute callback 2 GC Create xhr#2 object Open xhr#2 Send xhr#2 Execute callback 1 3 XHR methods/ attribute tweaking • Some other race conditions may happen when xhr are recursive: Create xhr object Open xhr Send xhr Execute callback
Page 1 and 2: BROWSER FUZZING IN 2014: David vs G
Page 3 and 4: 你好 ! • Hi beijing! I am rosa
Page 5 and 6: Vulnerabilities market Providers Bu
Page 7 and 8: Memory corruption vulns: a primer
Page 9 and 10: Usual Targets for Browser fuzzing R
Page 11 and 12: DOM fuzzing • DOM has a complex d
Page 13 and 14: Stone #1 - Fuzzing/with/TIME
Page 15 and 16: • browsers are event-driven JS ti
Page 17 and 18: • Event objects are dispatched to
Page 19: Fuzzing with events setTimeout(fn,0
Page 23 and 24: …the other side of the party •
Page 25 and 26: Stone #2 - Fuzzing/with/space
Page 27 and 28: Using legacy engines • By default
Page 29 and 30: Cross engines interactions • When
Page 31 and 32: Introducing fileja • A prototype
Page 33 and 34: SOME RESULTS #1 Registers: EAX = 0x
Page 35 and 36: SOME RESULTS #3 Registers: EAX = 0x
Page 37 and 38: Registers: EAX = 0x00454545 - EBX =
Page 39 and 40: SOME RESULTS #7 Caught a Write Acce
Page 41 and 42: SOME RESULTS #9 Caught a Read Acces
Page 43: Thankyou 谢谢

2014_EN_BrowserFuzzing_RosarioValotta

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?