lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4984CCD7.6000404@gmail.com>
Date: Sat, 31 Jan 2009 17:12:39 -0500
From: Krakow Labs <krakowlabs@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Browser Fuzzer 2

Well Pete, you are certainly entitled to your opinion. And in regard to 
the comment about bf2 having no automation.. the fact is, it does: every 
fuzz page contains refresh code for the next, allowing the fuzzing 
process to be completely automated. BF2 needs no defense-- from its 
conception it has proved very useful. Don't like it? Trash it.

Pete Licoln wrote:
> Hi Jeremy,
>
> I think this fuzzer is useless, and doesn't have any kind of innovation.
> This fuzzer acts as a cheap binary fuzzer, without any automation on 
> the targeted browser, like your others fuzzers you've wrote.
> There's severals DOM CSS DHTML fuzzers written in JS way more 
> powerfull, did you heard about them ?
>
> Next time  take some times before releasing such useless stuff.
>
>
> Regards
>
>
>
> 2009/1/31 Krakow Labs <krakowlabs@...il.com <mailto:krakowlabs@...il.com>>
>
>     That is one point I would like to get across: fuzzing doesn't have
>     to be
>     and frequently isn't random, no matter how much the wikis copy its
>     'definition'. The fuzzing oracle is the heart of the fuzzing process,
>     and making sure it is adequate to check for bugs is, I feel, a key to
>     being successful when fuzzing. I understand that near complete
>     randomness can be effective as demonstrated with mangleme, etc, but I
>     rarely choose that approach when working on projects; I just do not
>     think of it as a huge benefit. And the number of fuzzing files is
>     limited to the functions and tags and to the fuzzing oracle, all of
>     which can be modified and rearranged. Information, information,
>     information :)
>
>     You did ask some good questions, thanks for your input.
>
>     webDEViL wrote:
>     > Hello Jeremy,
>     >
>     > I am in no way trying to criticise your work, just had a few
>     questions
>     > that I had to ask :)
>     >
>     > Your fuzzers are like meant to be run only once, cause pretty much
>     > everyone will have the same files created.
>     > Why isnt there any randomness in creating the fuzzed files?
>     > bf2[phase four] JS Process Complete (Final Count: 8004).
>     >
>     > Well I am saying that your fuzzer will die, in like a day, cause the
>     > number of files is finite and very few in number.
>     > Whats the point with such fuzzers being released to the community?
>     >
>     >
>     >
>     > Regards,
>     > webDEViL
>     >
>     >
>     > On Fri, Jan 30, 2009 at 11:14 PM, Krakow Labs
>     <krakowlabs@...il.com <mailto:krakowlabs@...il.com>
>     > <mailto:krakowlabs@...il.com <mailto:krakowlabs@...il.com>>> wrote:
>     >
>     >     Krakow Labs Development
>     >
>     >     Browser Fuzzer 2 (bf2) is a comprehensive web browser fuzzer
>     that
>     >     fuzzes
>     >     CSS, DOM, HTML and JavaScript.
>     >
>     >     bf2 is available @ www.krakowlabs.com
>     <http://www.krakowlabs.com> <http://www.krakowlabs.com>
>     >     <http://www.krakowlabs.com>
>     >
>     >     -KL
>     >
>     >     _______________________________________________
>     >     Full-Disclosure - We believe in it.
>     >     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     >     Hosted and sponsored by Secunia - http://secunia.com/
>     >
>     >
>
>     _______________________________________________
>     Full-Disclosure - We believe in it.
>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ