Hello world today we are going to disscus browser bug bounty hunting also know as browser pwning.?Wait what ?
Yeah so in case you didn't know browser hacking was a thing since 2003,cause generally browsers are software,now software is writting in a specific programming language.Generally the browsers like chrome,firefox,edge are writting in C++ mainly and have some addition C.
What is fuzzing?
According to wikipedia:
"Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in a file format or protocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to expose corner cases that have not been properly dealt with." -Wikiepdia(https://en.wikipedia.org/wiki/Fuzzing)
How many types of fuzzing exist there?
A lot.Oh and im not kidding there is supervised fuzzing,coveraged-based fuzzing,grammer fuzzing,dumb fuzzing,smart fuzzers,generational fuzzing and finally mutationally fuzzing.Now all of them fall under two great categories:dumb fuzzing,smart fuzzing.
Fuzzing Chrome:
Now before we starting attacking chrome blindy,a warining!Chrome has over 8.8GB in terms of base source code.Now in order for us to be able to find a potential crash we need to choose a component.Here is an example of jscore from edge browser.
Now the actuall fuzzing
Now you will not just write a dumb fuzzer like this one:
Now when we talk about big source codes we need to fuzz smart.We choose Grammer Based Fuzzing.
Quoting from mozila fuzzing page:"Grammar-based fuzzing is a fuzzing technique that uses a formal language grammar to define the structure of the data to be generated. These grammars are typically represented in plain-text and use a combination of symbols and constants to represent the data".
Now in the industry two most used fuzzers are dharma & domatto.We will use dharma.
Now dharma can be downloaded from this page:https://github.com/MozillaSecurity/dharma
How to use dharma
Actually it's not that hard since alll the heavylifting has been done by mozzing in terms of coding.Now for usage is "./dharma -grammars grammer -count number of samples to get generated -format format of file to be output -seed random number for more entropy -storage output folder".
Grammer
In terms of grammer we are supposed to have a valid input for the fuzzer to generate correct test cases.Lucky for us mozzila provides a grammer sample
Now if we run it we get this output
No comments:
Post a Comment