Star Mozilla Releases Browser Testing Tools
Linked by Thom Holwerda on Fri 3rd Aug 2007 15:46 UTC, submitted by Miche
Mozilla & Gecko clones "At the Blackhat conference, Window Snyder and Mike Shaver of Mozilla released new tools for testing their browser - Firefox - and other popular browsers, such as Microsoft Internet Explorer, Apple Safari and Opera. The tools include a protocol fuzzer by Michael Eddington and a Javascript fuzzer by Jesse Ruderman. Fuzzing is a method by which researchers randomly simulate common conditions under which most browsers fail.
E-mail Print r 0   9 Comment(s)
Order by: Score:
Add Comment Post a Comment
Fuzzing == testing
by jessta (3.76) on Fri 3rd Aug 2007 16:15 UTC
jessta
Member since:
2005-08-17
Fans: 3

fuzzing, aka. sending random improper data at a piece of code to see if it handles it correctly.
aka. normal proper testing

Reply Bookmark Score: 3 Flag

RE: Fuzzing == testing
by renox (2.84) on Fri 3rd Aug 2007 17:55 UTC in reply to "Fuzzing == testing"
renox Member since:
2005-07-06
Fans: 1

"aka. normal proper testing"

In an ideal world yes, in the real world no: nearly all the unit test I've seen check the behaviour of the application when given "normal" data.

Given this, it makes sense to use another name for 'security testing' where you're explicity testing the application against a cracker.

Of course 'security testing' is not restricted to fuzzing..

Reply Bookmark Score: 3 Flag

RE[2]: Fuzzing == testing
by StephenBeDoper (2.64) on Sun 5th Aug 2007 08:06 UTC in reply to "RE: Fuzzing == testing"
StephenBeDoper Member since:
2005-07-06
Fans: 4

In an ideal world yes, in the real world no: nearly all the unit test I've seen check the behaviour of the application when given "normal" data.


I've found that to be the case even when testing web-based forms. Ten percent of the time is spent making sure the forms work when users fill them out correctly; the other ninety percent of the time is occupied by making sure there is proper error-handling when users enter information incorrectly.

Reply Bookmark Score: 2 Flag

Not bad
by smitty (3.48) on Fri 3rd Aug 2007 16:51 UTC
smitty
Member since:
2005-10-13
Fans: 0

From another article:
Ruderman claimed that in its brief existence jsfunfuzz (the js fuzzer) has already found 280 bugs in Firefox, 27 of which were exploitable.

Reply Bookmark Score: 7 Flag

Sounds nice...
by robinh (2.88) on Fri 3rd Aug 2007 18:00 UTC
robinh
Member since:
2006-12-19
Fans: 0

...anyone know where to download these tools from?

Reply Bookmark Score: 1 Flag

RE: Sounds nice...
by AxiomShell (1.17) on Fri 3rd Aug 2007 18:10 UTC in reply to "Sounds nice..."
AxiomShell Member since:
2006-01-16
Fans: 0
RE: Sounds nice...
by Morty (4.76) on Mon 6th Aug 2007 09:59 UTC in reply to "Sounds nice..."
Morty Member since:
2005-07-06
Fans: 3

One such tool are zzuf, http://sam.zoy.org/zzuf/

For testing browsers this is not anything new, here is one article about it from back in April 2006. http://www.theregister.co.uk/2006/04/13/data_fuzzing/

You can run the test on your browser of choice, to see how long it takes before it crash :-) http://metasploit.com/users/hdm/tools/see-ess-ess-die/cssdie.html

Reply Bookmark Score: 2 Flag

Memory leaks
by RawMustard (2.04) on Sat 4th Aug 2007 02:24 UTC
RawMustard
Member since:
2005-10-10
Fans: 0

Maybe this will help them find all the memory leaks?
One can hope.

Reply Bookmark Score: 1 Flag

RE: Memory leaks
by smitty (3.48) on Sat 4th Aug 2007 05:07 UTC in reply to "Memory leaks"
smitty Member since:
2005-10-13
Fans: 0

In case you were actually being serious, no this will not help find memory leaks.

I'm pretty sure that was supposed to be sarcasm.
They're working on them, and the goal is for the next version to be completely free. One of the developers recently took Firefox3 to the 500 most popular internet sites, and there was only 1 leak (which was immediately fixed). Of course, he didn't do any navigation inside the sites, only going to the main page. But that is still pretty good.

Reply Bookmark Score: 2 Flag

Add Comment Post a Comment