| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 31 Jan 2009 19:49:05 -0500
From: Pete Licoln <pete.licoln@...il.com>
To: Krakow Labs <krakowlabs@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Browser Fuzzer 2
Don't like it? Trash it.
I did.
But on the other side, you ask for comments for your fuzzers
I give somes constructive .
Don't like it ? stay blind & Trash it :)
Pete Licoln wrote:
> Hi Jeremy,
>
> I think this fuzzer is useless, and doesn't have any kind of innovation.
> This fuzzer acts as a cheap binary fuzzer, without any automation on
> the targeted browser, like your others fuzzers you've wrote.
> There's severals DOM CSS DHTML fuzzers written in JS way more
> powerfull, did you heard about them ?
>
> Next time take some times before releasing such useless stuff.
>
>
> Regards
>
>
>
> 2009/1/31 Krakow Labs <krakowlabs@...il.com <mailto:krakowlabs@...il.com>>
>
> That is one point I would like to get across: fuzzing doesn't have
> to be
> and frequently isn't random, no matter how much the wikis copy its
> 'definition'. The fuzzing oracle is the heart of the fuzzing process,
> and making sure it is adequate to check for bugs is, I feel, a key to
> being successful when fuzzing. I understand that near complete
> randomness can be effective as demonstrated with mangleme, etc, but I
> rarely choose that approach when working on projects; I just do not
> think of it as a huge benefit. And the number of fuzzing files is
> limited to the functions and tags and to the fuzzing oracle, all of
> which can be modified and rearranged. Information, information,
> information :)
>
> You did ask some good questions, thanks for your input.
>
> webDEViL wrote:
> > Hello Jeremy,
> >
> > I am in no way trying to criticise your work, just had a few
> questions
> > that I had to ask :)
> >
> > Your fuzzers are like meant to be run only once, cause pretty much
> > everyone will have the same files created.
> > Why isnt there any randomness in creating the fuzzed files?
> > bf2[phase four] JS Process Complete (Final Count: 8004).
> >
> > Well I am saying that your fuzzer will die, in like a day, cause the
> > number of files is finite and very few in number.
> > Whats the point with such fuzzers being released to the community?
> >
> >
> >
> > Regards,
> > webDEViL
> >
> >
> > On Fri, Jan 30, 2009 at 11:14 PM, Krakow Labs
> <krakowlabs@...il.com <mailto:krakowlabs@...il.com>
> > <mailto:krakowlabs@...il.com <mailto:krakowlabs@...il.com>>> wrote:
> >
> > Krakow Labs Development
> >
> > Browser Fuzzer 2 (bf2) is a comprehensive web browser fuzzer
> that
> > fuzzes
> > CSS, DOM, HTML and JavaScript.
> >
> > bf2 is available @ www.krakowlabs.com
> <http://www.krakowlabs.com> <http://www.krakowlabs.com>
> > <http://www.krakowlabs.com>
> >
> > -KL
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists