bf2_doc.txt
01.19.2009

Krakow Labs Development [www.krakowlabs.com]
Browser Fuzzer 2 Documentation
rush@KL (Jeremy Brown) [rush[at]krakowlabs[dot]com]

-------------------------------------------------------------------------------------------------------------------------

WHAT IS IT?
Browser Fuzzer 2 (bf2) is a comprehensive web browser fuzzer that fuzzes CSS, DOM, HTML and JavaScript.

-------------------------------------------------------------------------------------------------------------------------

PURPOSE
BF2's purpose is to fuzz web browsers as they process data and render content.

-------------------------------------------------------------------------------------------------------------------------

HOW DOES IT WORK?
BF2 takes in command line options that define the output of the fuzzing web pages and define what phase the user would
like to fuzz. BF2 then generates the pages via custom functions that take the required format, the tag or function its
fuzzing, and data from the fuzzing oracle in a way that the web browser can interpret the content. One by one, BF2 outputs
each unique fuzzing page. To keep the process automated, refresh code is also embedded in each fuzzing page to make them
jump from one to another after the browser processes each web pages content.

Example Fuzzing Web Page (html40.html):

<html>
<head><meta http-equiv="refresh" content="1; url=html41.html"></head>
<body alink="%.2049d">
</html>

-------------------------------------------------------------------------------------------------------------------------

HISTORY
Browser Fuzzer 2 is the second version of the earlier Browser Fuzzer. Browser Fuzzer 2 is the same concept as Browser
Fuzzer but BF2 is very different. It has been rewritten and greatly improved. Also, unlike BF, BF2 is not a beta release,
hence it is considered stable.

Key Differences:

Browser Fuzzer							Browser Fuzzer 2
--------------							----------------
Written in C							Written in PERL
DOM/HTML/JS fuzzing limited					CSS/DOM/HTML/JS fuzzing comprehensive
Redundant code for generating & writing pages			Specialized functions for fuzz page generation & writing
File structure not up to par					Decent file structure easily supporting add/del/modification
Beta fuzz oracle implemented					3rd generation [unlimited style, web] fuzzing oracle implemented

-------------------------------------------------------------------------------------------------------------------------

HOW DO I USE IT?
1) Set up a place for output and pick a fuzzing phase.

rush@linux:~$ mkdir fuzz
rush@linux:~$ perl bf2.pl -o /home/rush/fuzz -p 4

       Krakow Labs Development [krakowlabs.com] -> bf2
     "Browser Fuzzer 2 -- The bugs cannot hide anymore"
     rush@KL (Jeremy Brown) [rush[at]krakowlabs[dot]com]

bf2[phase four] JS Process Engaged. This could take some time (and disc space)!

[STAGE-> 1] Writing <jstlfuncs>     fuzz data to /home/rush/Desktop/fuzz
[STAGE-> 2] Writing <jsstringmthds> fuzz data to /home/rush/Desktop/fuzz
[STAGE-> 3] Writing <jsdatemthds>   fuzz data to /home/rush/Desktop/fuzz
[STAGE-> 4] Writing <jsmathmthds>   fuzz data to /home/rush/Desktop/fuzz
[STAGE-> 5] Writing <jsnumbermthds> fuzz data to /home/rush/Desktop/fuzz

bf2[phase four] JS Process Complete (Final Count: 8004). Point your browser to /home/rush/fuzz/js1.html and monitor for exceptions :)

rush@linux:~$ 

2) Open the browser you wish to fuzz (in a debugger or with one attached if you like) and send it to the address of
   xxxx1.html, where xxxx is the name of the phase you selected to fuzz.

Do this for all phases of fuzzing you wish to use. Good luck!

-------------------------------------------------------------------------------------------------------------------------

NOTES
By using the supplied the fuzzing oracle, BF2 will use a considerable amount of disc space (~77 GB total). Feel free to
modify the fuzzing oracle data to suite your needs, environment, and/or yourself.

To keep track of fuzzing web pages that may cause a crash, you can setup Apache and set BF2's output to a web accessable
directory. Do a "grep -i browser-user-agent /var/log/apache/access.log | tail -1" when a crash occurs, it should be helpful.

Monitor /tmp for any out-of-bounds breakage action.

-------------------------------------------------------------------------------------------------------------------------

Associated Files & Information:
http://www.krakowlabs.com/dev/fuz/bf2/bf2.pl.txt
http://www.krakowlabs.com/dev/fuz/bf2/bf2_doc.txt
http://www.krakowlabs.com/dev/fuz/bf2/bf2.tar.gz
http://www.krakowlabs.com/dev/fuz/bf2/bf2.jpeg
bf2_doc.txt