#!/usr/bin/perl # bf2.pl # 01.19.2009 # Browser Fuzzer 2 # # Krakow Labs Development [krakowlabs.com] -> bf2 # "Browser Fuzzer 2 -- The bugs cannot hide anymore" # rush@KL (Jeremy Brown) [rush[at]krakowlabs[dot]com] # # Associated Files & Information: # http://www.krakowlabs.com/dev/fuz/bf2/bf2.pl.txt # http://www.krakowlabs.com/dev/fuz/bf2/bf2_doc.txt # http://www.krakowlabs.com/dev/fuz/bf2/bf2.tar.gz # http://www.krakowlabs.com/dev/fuz/bf2/bf2.jpeg # bf2.pl use Getopt::Std; # FUZZ DATA BEGIN HERE [_Jeremy Brown_ 3rd Generation Fuzzing Oracle [unlimited style, web] _Jeremy Brown_] 116 @overflows = ('A' x 2200, 'A' x 4200, 'A' x 8500, 'A' x 12000, 'A' x 22000, 'A' x 52000, 'A' x 120000, 'A' x 500500, 'A' x 1200000, 'A' x 5005000, 'A' x 12000000, 'A' x 20000000, '//AAAA' x 5000, '\\\AAAA' x 5000, '\0x99' x 12000, 'http://' . 'A' x 4200, 'http://' . 'A' x 12000, 'http://' . 'A' x 500500, 'http://' . 'A' x 5005000, 'http://' . 'A' x 20000000, 'www.' . 'A' x 4200 . '.com', 'www.' . 'A' x 12000 . '.com', 'www.' . 'A' x 500500 . '.com', 'www.' . 'A' x 5005000 . '.com', 'www.' . 'A' x 20000000 . '.com', 'A/' x 2100, 'A/' x 6000, 'A/' x 250250, 'A/' x 2502500, 'A/' x 10000000); # 30 @fmtstring = ('%n%n%n%n%n', '%p%p%p%p%p', '%s%s%s%s%s', '%d%d%d%d%d', '%x%x%x%x%x', '%s%p%x%d', '%.1024d', '%.1025d', '%.2048d', '%.2049d', '%.4096d', '%.4097d', '%99999999999s', '%08x', '%%20n', '%%20p', '%%20s', '%%20d', '%%20x', '%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%', '\0xCD' x 50, '\0xCB' x 50); # 22 @numbers = ('0', '-0', '1', '-1', '32767', '-32768', '2147483647', '-2147483647', '2147483648', '-2147483648', '4294967294', '4294967295', '4294967296', '357913942', '-357913942', '536870912', '-536870912', '5e-324', '1.79769313486231E+308', '3.39519326559384E-313', '99999999999', '-99999999999', '0x100', '0x1000', '0x3fffffff', '0x7ffffffe', '0x7fffffff', '0x80000000', '0xffff', '0xfffffffe', '0xfffffff', '0xffffffff', '0x10000', '0x100000', '0x99999999', '65535', '65536', '65537', '16777215', '16777216', '16777217', '-268435455'); # 42 @miscbugs = ('test|touch /tmp/FU_ZZ_ED|test', 'test`touch /tmp/FU_ZZ_ED`test', 'test\'touch /tmp/FU_ZZ_ED\'test', 'test;touch /tmp/FU_ZZ_ED;test', 'test&&touch /tmp/FU_ZZ_ED&&test', 'test|C:/WINDOWS/system32/calc.exe|test', 'test`C:/WINDOWS/system32/calc.exe`test', 'test\'C:/WINDOWS/system32/calc.exe\'test', 'test;C:/WINDOWS/system32/calc.exe;test', 'C:/WINDOWS/system32/calc.exe', '|/bin/sh|', '`/bin/sh`', '../..\\' x 500, '%0xa', '%u000', '`~@#$', '%^&*()', '-=_+', '[]\{}', '|;\':"', ',./<>', '?' x 12000); # 22 # FUZZ DATA END HERE [_Jeremy Brown_ 3rd Generation Fuzzing Oracle [unlimited style, web] _Jeremy Brown_] 116 # DOM BEGIN @domwindow = ('outerHeight', 'outerWidth', 'status', 'moveBy', 'moveTo', 'resizeBy', 'resizeTo', 'scrollBy', 'scrollTo', 'setInterval', 'setTimeout'); # do (first 3) & others -- window.resizeX/scrollX has 2 params & setX has 2 @domdocument = ('cookie', 'getElementById', 'getElementsByName', 'getElementsByTagName', 'open', 'write', 'writeIn'); # open can have 2 params @domhistory = ('go'); @domlocation = ('hash', 'host', 'hostname', 'href', 'pathname', 'port', 'protocol', 'search', 'assign', 'replace'); # DOM END # HTML BEGIN @htmlbody = ('alink', 'background', 'bgcolor', 'link', 'text', 'vlink', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlp = ('align', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlhr = ('align', 'noshade', 'size', 'width', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlfont = ('color', 'face', 'size', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlbdo = ('dir', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlpre = ('width', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmla = ('charset', 'coords', 'href', 'hreflang', 'name', 'rel', 'rev', 'shape', 'target', 'type', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmllink = ('charset', 'href', 'hrefland', 'media', 'rel', 'rev', 'target', 'type', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlframe = ('frameborder', 'longdesc', 'marginheight', 'marginwidth', 'name', 'noresize', 'scrolling', 'src', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlframeset = ('cols', 'rows', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmliframe = ('align', 'frameborder', 'height', 'longdesc', 'marginheight', 'marginwidth', 'name', 'scrolling', 'src', 'width', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlform = ('action', 'accept', 'accept-charset', 'enctype', 'method', 'name', 'target', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlinput = ('accept', 'align', 'alt', 'checked', 'disabled', 'maxlength', 'name', 'readonly', 'size', 'src', 'type', 'value', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmltextarea = ('cols', 'rows', 'disabled', 'name', 'readonly', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlbutton = ('disabled', 'name', 'type', 'value', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlselect = ('disabled', 'multiple', 'name', 'size', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmloptgroup = ('label', 'disabled', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmloption = ('disabled', 'label', 'selected', 'value', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmllabel = ('for', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmllegend = ('align', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlul = ('compact', 'type', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlol = ('compact', 'start', 'type', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlli = ('type', 'value', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmldir = ('compact', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlmenu = ('compact', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlimg = ('alt', 'src', 'align', 'border', 'height', 'hspace', 'longdesc', 'usemap', 'vspace', 'width', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlmap = ('id', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlarea = ('alt', 'coords', 'href', 'nohref', 'shape', 'target', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmltable = ('align', 'bgcolor', 'border', 'cellpadding', 'cellspacing', 'frame', 'rules', 'summary', 'width', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlcaption = ('align', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlth = ('abbr', 'align', 'axis', 'bgcolor', 'char', 'charoff', 'colspan', 'headers', 'height', 'nowrap', 'rowspan', 'scope', 'valign', 'width', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmltr = ('align', 'bgcolor', 'char', 'charoff', 'valign', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmltd = ('abbr', 'align', 'axis', 'bgcolor', 'char', 'charoff', 'colspan', 'headers', 'height', 'nowrap', 'rowspan', 'scope', 'valign', 'width', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlthead = ('align', 'char', 'charoff', 'valign', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmltbody = ('align', 'char', 'charoff', 'valign', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmltfoot = ('align', 'char', 'charoff', 'valign', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlcol = ('align', 'char', 'charoff', 'span', 'valign', 'width', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlcolgroup = ('align', 'char', 'charoff', 'span', 'valign', 'width', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlstyle = ('type', 'media', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmldiv = ('align', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlhead = ('profile', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlmeta = ('content', 'http-equiv', 'name', 'scheme', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlbase = ('target', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlbasefont = ('color', 'face', 'size', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlscript = ('type', 'charset', 'defer', 'language', 'src', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlapplet = ('height', 'width', 'align', 'alt', 'archive', 'code', 'codebase', 'hspace', 'name', 'object', 'title', 'vspace', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlobject = ('align', 'archive', 'border', 'classid', 'codebase', 'codetype', 'data', 'declare', 'height', 'hspace', 'name', 'standby', 'type', 'usemap', 'vspace', 'width', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); @htmlparam = ('name', 'type', 'value', 'valuetype', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex'); # HTML END # JavaScript BEGIN @jstlfuncs = ('decodeURI', 'decodeURIComponent', 'encodeURI', 'encodeURIComponent', 'escape', 'unescape', 'eval', 'isFinite', 'inNaN', 'Number', 'parseFloat', 'parseInt', 'String'); @jsstringmtds = ('strng.anchor', 'strng.charAt', 'strng.charCodeAt', 'strng.concat', 'strng.fontcolor', 'strng.fontsize', 'strng.fromCharCode', 'strng.indexOf', 'strng.lastIndexOf', 'strng.link', 'strng.link', 'strng.match', 'strng.replace', 'strng.search', 'strng.slice', 'strng.split', 'strng.substr', 'strng.substring'); @jsdatemtds = ('Date.parse', 'dte.setDate', 'dte.setFullYear', 'dte.setHours', 'dte.setMilliseconds', 'dte.setMinutes', 'dte.setMonth', 'dte.Seconds', 'dte.setTime', 'dte.setUTCDate', 'dte.setUTCMonth', 'dte.setUTCFullYear', 'dte.setUTCHours', 'dte.setUTCMinutes', 'dte.setUTCSeconds', 'dte.setUTCMilliseconds', 'dte.setYear'); @jsmathmtds = ('Math.abs', 'Math.acos', 'Math.asin', 'Math.atan', 'Math.atan2', 'Math.ceil', 'Math.cos', 'Math.exp', 'Math.floor', 'Math.log', 'Math.max', 'Math.min', 'Math.pow', 'Math.round', 'Math.sin', 'Math.sqrt', 'Math.tan'); @jsnumbermtds = ('numbr.toExponential', 'numbr.toFixed', 'numbr.toPercision', 'numbr.toString'); # JavaScript END $cssbegin = '' . "\n" . ''; $htmlbegin = ''; $htmlend = ''; $scriptbegin = ''; $jsvarstrng = 'var strng = "test";'; $jsvardte = 'var dte = new Date();'; $jsvarnumbr = 'var numbr = new Number(1000);'; $refresh1 = ''; getopts('o:p:', \%opts); $output = $opts{'o'}; $phase = $opts{'p'}; if(!defined($output) || !defined($phase)) { print "\n Krakow Labs Development [krakowlabs.com] -> bf2"; print "\n \"Browser Fuzzer 2 -- The bugs cannot hide anymore\""; print "\n rush\@KL (Jeremy Brown) [rush[at]krakowlabs[dot]com]\n"; print "\n Usage: $0 -o -p [phase]\n"; print "\n[phase one] -> CSS Fuzzing (Cascading Style Sheets, Inline Style, Core Parsing)"; print "\n[phase two] -> DOM Fuzzing (Document Object Model, HTML/JS DOM Objects)"; print "\n[phase three] -> HTML Fuzzing (HyperText Markup Language, Tags & Attributes)"; print "\n[phase four] -> JS Fuzzing (JavaScript, Top Level Functions & Methods)"; print "\n\nExample: $0 -o /var/www/apache2 -p 3 (now break out your favorite browser and fuzz it :)\n\n"; exit(0); } print "\n Krakow Labs Development [krakowlabs.com] -> bf2"; print "\n \"Browser Fuzzer 2 -- The bugs cannot hide anymore\""; print "\n rush\@KL (Jeremy Brown) [rush[at]krakowlabs[dot]com]\n"; $c = 1; $i = 1; if($phase == '1') { print "\nbf2[phase one] CSS Process Engaged. This could take some time (and disc space)!\n\n"; print "[STAGE-> $i] Writing fuzz data to $output\n"; foreach(@overflows) { $fuzz = $_; csscreate1($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; csscreate1($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; csscreate1($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; csscreate1($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } $i++; print "[STAGE-> $i] Writing fuzz data to $output\n"; foreach(@overflows) { $fuzz = $_; csscreate2($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; csscreate2($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; csscreate2($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; csscreate2($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } $i++; print "[STAGE-> $i] Writing fuzz data to $output\n"; foreach(@overflows) { $fuzz = $_; csscreate3($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; csscreate3($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; csscreate3($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; csscreate3($output, $c, $htmlbegin, $refresh1, $cssbegin, $fuzz, $cssend, $htmlend); $c++; } $i++; $fcnt = $c-1; print "\nbf2[phase one] CSS Process Complete (Final Count: $fcnt). Point your browser to $output/css1.html and monitor for exceptions :)\n\n"; } if($phase == '2') { print "\nbf2[phase two] DOM Process Engaged. This could take some time (and disc space)!\n\n"; print "[STAGE-> $i] Writing fuzz data to $output\n"; foreach(@domdocument) { $object = 'document'; $method = $_; foreach(@overflows) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } } $i++; print "[STAGE-> $i] Writing fuzz data to $output\n"; foreach(@domwindow) { $object = 'window'; $method = $_; foreach(@overflows) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } } $i++; print "[STAGE-> $i] Writing fuzz data to $output\n"; foreach(@domhistory) { $object = 'history'; $method = $_; foreach(@overflows) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } } $i++; print "[STAGE-> $i] Writing fuzz data to $output\n"; foreach(@domlocation) { $object = 'location'; $method = $_; foreach(@overflows) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; domcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $scriptbegin, $object, $method, $fuzz, $scriptend, $htmlend); $c++; } } $i++; $fcnt = $c-1; print "\nbf2[phase two] DOM Process Complete (Final Count: $fcnt). Point your browser to $output/dom1.html and monitor for exceptions :)\n\n"; } if($phase == '3') { print "\nbf2[phase three] HTML Process Engaged. This could take some time (and disc space)!\n\n"; print "[STAGE-> $i] Writing fuzz data to $output\n"; foreach(@htmlbody) { $tag = 'body'; $attr = $_; foreach(@overflows) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } } $i++; print "[STAGE-> $i] Writing

fuzz data to $output\n"; foreach(@htmlp) { $tag = 'p'; $attr = $_; foreach(@overflows) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } } $i++; print "[STAGE-> $i] Writing

fuzz data to $output\n"; foreach(@htmlhr) { $tag = 'hr'; $attr = $_; foreach(@overflows) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } } $i++; print "[STAGE-> $i] Writing fuzz data to $output\n"; foreach(@htmlfont) { $tag = 'font'; $attr = $_; foreach(@overflows) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } } $i++; print "[STAGE-> $i] Writing fuzz data to $output\n"; foreach(@htmlbdo) { $tag = 'bdo'; $attr = $_; foreach(@overflows) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@fmtstring) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@numbers) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } foreach(@miscbugs) { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } } $i++; print "[STAGE-> $i] Writing 
      fuzz data to $output\n";
foreach(@htmlpre)      { $tag  = 'pre'; $attr = $_;
foreach(@overflows)    { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@fmtstring)    { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@numbers)      { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@miscbugs)     { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } } $i++;

print "[STAGE-> $i] Writing         fuzz data to $output\n";
foreach(@htmla)        { $tag  = 'a'; $attr = $_;
foreach(@overflows)    { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@fmtstring)    { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@numbers)      { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@miscbugs)     { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } } $i++;

print "[STAGE-> $i] Writing      fuzz data to $output\n";
foreach(@htmllink)     { $tag  = 'link'; $attr = $_;
foreach(@overflows)    { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@fmtstring)    { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@numbers)      { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@miscbugs)     { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } } $i++;

print "[STAGE-> $i] Writing     fuzz data to $output\n";
foreach(@htmlframe)    { $tag  = 'frame'; $attr = $_;
foreach(@overflows)    { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@fmtstring)    { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@numbers)      { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; }
foreach(@miscbugs)     { $fuzz = $_; htmlcreate($output, $c, $htmlbegin, $refresh1, $refresh2, $tag, $attr, $fuzz, $htmlend); $c++; } } $i++;

print "[STAGE->$i] Writing