2014_EN_BrowserFuzzing_RosarioValotta

Recommendations

Info

Let’s network party with dom! • The idea here is to combine classical approach of dom fuzzing with network calls • Snippet of valid Js are retrieved using xhrs or wss and processed in context of the dom xhr = new XMLHttpRequest(); xhr.open("GET", "http://127.0.0.1:8887", RBool()); xhr.onreadystatechange = function() { if (this.readyState == 4) { var s=document.createElement("script"); s.innerText=xhr.responseText; document.body.appendChild(s); } } Mix synch and asynch calls socket = new WebSocket("ws://127.0.0.1:9999", "fuzz"); socket.addEventListener("message", function(event) { s=document.createElement("script"); s.src=(window.URL.createObjectURL(new Blob([data],{type:"text/html"})); document.body.appendChild(s); f.contentWindow.eval(s.innerText); });
…the other side of the party • On the server side there are a bunch of applications, implementing http and WS servers • For every request: 1. A random delay is applied before generating the response this affect timing on client side 2. A fragment of valid js is composed and returnet as text/html or… 3. ...a reference to a function declared on the client side is returned • Fuzzing with code fragments has been an approach used in the past by langfuzz, but here the goal is to target specific borderline execution scenarios race conditions Create xhr/WS object Open xhr/WS Eval (JS) Send xhr/WS Execute callback js Nodejs app • This evaluation of the js fragment is influenced by: • synch DOM mutations that occurred in the middle of call processing • xhr/ws references not disposed when client location page is navigated away • race conditions in request/response management
Page 1 and 2: BROWSER FUZZING IN 2014: David vs G
Page 3 and 4: 你好 ! • Hi beijing! I am rosa
Page 5 and 6: Vulnerabilities market Providers Bu
Page 7 and 8: Memory corruption vulns: a primer
Page 9 and 10: Usual Targets for Browser fuzzing R
Page 11 and 12: DOM fuzzing • DOM has a complex d
Page 13 and 14: Stone #1 - Fuzzing/with/TIME
Page 15 and 16: • browsers are event-driven JS ti
Page 17 and 18: • Event objects are dispatched to
Page 19 and 20: Fuzzing with events setTimeout(fn,0
Page 21: FUZZing with XHR (2/2) Similar cons
Page 25 and 26: Stone #2 - Fuzzing/with/space
Page 27 and 28: Using legacy engines • By default
Page 29 and 30: Cross engines interactions • When
Page 31 and 32: Introducing fileja • A prototype
Page 33 and 34: SOME RESULTS #1 Registers: EAX = 0x
Page 35 and 36: SOME RESULTS #3 Registers: EAX = 0x
Page 37 and 38: Registers: EAX = 0x00454545 - EBX =
Page 39 and 40: SOME RESULTS #7 Caught a Write Acce
Page 41 and 42: SOME RESULTS #9 Caught a Read Acces
Page 43: Thankyou 谢谢

2014_EN_BrowserFuzzing_RosarioValotta

Create successful ePaper yourself

Delete template?

Save as template?