“At the Blackhat conference, Window Snyder and Mike Shaver of Mozilla released new tools for testing their browser – Firefox – and other popular browsers, such as Microsoft Internet Explorer, Apple Safari and Opera. The tools include a protocol fuzzer by Michael Eddington and a Javascript fuzzer by Jesse Ruderman. Fuzzing is a method by which researchers randomly simulate common conditions under which most browsers fail.
fuzzing, aka. sending random improper data at a piece of code to see if it handles it correctly.
aka. normal proper testing
“aka. normal proper testing”
In an ideal world yes, in the real world no: nearly all the unit test I’ve seen check the behaviour of the application when given “normal” data.
Given this, it makes sense to use another name for ‘security testing’ where you’re explicity testing the application against a cracker.
Of course ‘security testing’ is not restricted to fuzzing..
I’ve found that to be the case even when testing web-based forms. Ten percent of the time is spent making sure the forms work when users fill them out correctly; the other ninety percent of the time is occupied by making sure there is proper error-handling when users enter information incorrectly.
From another article:
Ruderman claimed that in its brief existence jsfunfuzz (the js fuzzer) has already found 280 bugs in Firefox, 27 of which were exploitable.
…anyone know where to download these tools from?
https://bugzilla.mozilla.org/show_bug.cgi?id=jsfunfuzz
One such tool are zzuf, http://sam.zoy.org/zzuf/
For testing browsers this is not anything new, here is one article about it from back in April 2006. http://www.theregister.co.uk/2006/04/13/data_fuzzing/
You can run the test on your browser of choice, to see how long it takes before it crash http://metasploit.com/users/hdm/tools/see-ess-ess-die/cssdie.html
Maybe this will help them find all the memory leaks?
One can hope.
In case you were actually being serious, no this will not help find memory leaks.
I’m pretty sure that was supposed to be sarcasm.
They’re working on them, and the goal is for the next version to be completely free. One of the developers recently took Firefox3 to the 500 most popular internet sites, and there was only 1 leak (which was immediately fixed). Of course, he didn’t do any navigation inside the sites, only going to the main page. But that is still pretty good.