bf3_doc.txt 01.16.2010 Krakow Labs Development [www.krakowlabs.com] Browser Fuzzer 3 Documentation jbrown@KL (Jeremy Brown) [jbrown@krakowlabs.com] ------------------------------------------------------------------------------------------------------------------ WHAT IS IT? Browser Fuzzer 3, or bf3, is a comprehensive web browser fuzzer. ------------------------------------------------------------------------------------------------------------------ FEATURES Fuzzes CSS, DOM, HTML, JavaScript and XML Attended and Unattended Fuzzing Modes 7th Generation Fuzzing Oracle Random Data Generator Mutation Fuzzing Engine ------------------------------------------------------------------------------------------------------------------ HOW DOES IT WORK? Browser Fuzzer 3 is designed as a hybrid framework/standalone fuzzer; the modules it uses are extendable but also highly integrated into the core. bf3 can be used via command line to set all necessary flags for each fuzzing operation. After initialization, bf3 creates test cases in a numbered system. Fuzzing is automated through the browser using the refresh method. If error is detected, server logs can provide insight to the offending test case. ------------------------------------------------------------------------------------------------------------------ USAGE DETAILS USAGE: ./bf3 <-M #> <-A/-U> <-O/-R #> [-Z #] [-X file.ext] [-x extra.html] [-P /www] INFO: [-T Fuzzing Oracle] [-D Modules Available] -M: target module -A: attended fuzzing mode (dom/js only) -U: unattended fuzzing mode -O: use the fuzzing oracle -R: use random generation -Z: max number of bytes (random generation) -X: file to parse for mutation -x: extra file for mutation (css/xml only) -P: test case output directory (full path) -T: list fuzzing oracle -D: list modules available [Modules Available] (1) Cascading Style Sheets (CSS) (2) Document Object Model (DOM) (3) HyperText Markup Language (HTML) (4) JavaScript (JS) (5) Extensible Markup Language (XML) Example Usage "Fuzz JavaScript in Unattended Mode with the Fuzzing Oracle and output test cases to /var/www" ----> ./bf3 -M 3 -U -O -P /var/www "Fuzz DOM in Attended Mode with Random Data up to 10,000 bytes and output 10,000 test cases to /var/www/dom" ----> ./bf3 -M 2 -A -R 10000 -Z 10000 -P /var/www/dom "Fuzz CSS by mutating file.css with Random Data up to 100,000 bytes (default) and use file.html to display the data, output to /var/www/cssm (total number of test cases = 100 x number of characters in file.css)" ----> ./bf3 -M 1 -U -R 100 -X /home/linux/bf3/samples/css/style.css -x /home/linux/bf3/samples/css/bmgsec.html -P /www/css "Fuzz JavaScript in Unattended Mode by generating 1,000,000 random test cases and output to /var/www/js" ----> ./bf3 -M 4 -U -R 1000000 -P /var/www/js "Fuzz XML in Unattended Mode with Random data and output 100,000 test cases to /var/www/xml" ----> ./bf3 -M 5 -U -R 100000 -P /var/www/xml If you notice an anomaly in the target while processing test cases and you have access to the logs at the server which is hosting them, you can do this to figure out which one you need to save and further research: fuzz@linux:~$ grep -i chrome /var/log/apache2/access.log | tail -1 10.10.1.111 - - [09/Jan/2010:09:54:54 -0500] "GET /xml1/xml334761.html HTTP/1.1" 200 756 "http://10.10.1.110/xml1/xml334760.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.38 Safari/532.0" ------------------------------------------------------------------------------------------------------------------ NOTES Attended mode fuzzes things that may need attention (a click of the mouse, etc) like JS alert() and prompt() During all fuzzing generation except mutation, -R = # of test cases. During mutation, # of test cases is -R # x number of characters in the target file Make sure you remove any data that would conflict with the automated fuzzing process in the extra file when using mutation When mutation fuzzing XML, you must make sure the xml variable's name is "Document". Please replace the var in the extra file with "Document" to make things work correctly This could be the first project to go from C (bf) to PERL (bf2) and back to C again (bf3) :] ------------------------------------------------------------------------------------------------------------------ Associated Files & Information: http://www.krakowlabs.com/dev/fuz/bf3/bf3 http://www.krakowlabs.com/dev/fuz/bf3/bf3.c.txt http://www.krakowlabs.com/dev/fuz/bf3/cli.c.txt http://www.krakowlabs.com/dev/fuz/bf3/core.c.txt http://www.krakowlabs.com/dev/fuz/bf3/gen.c.txt http://www.krakowlabs.com/dev/fuz/bf3/mut.c.txt http://www.krakowlabs.com/dev/fuz/bf3/oracle.c.txt http://www.krakowlabs.com/dev/fuz/bf3/rand.c.txt http://www.krakowlabs.com/dev/fuz/bf3/mod/css.c.txt http://www.krakowlabs.com/dev/fuz/bf3/mod/dom.c.txt http://www.krakowlabs.com/dev/fuz/bf3/mod/html.c.txt http://www.krakowlabs.com/dev/fuz/bf3/mod/js.c.txt http://www.krakowlabs.com/dev/fuz/bf3/mod/xml.c.txt http://www.krakowlabs.com/dev/fuz/bf3/include/core.h.txt http://www.krakowlabs.com/dev/fuz/bf3/include/oracle.h.txt http://www.krakowlabs.com/dev/fuz/bf3/include/random.h.txt http://www.krakowlabs.com/dev/fuz/bf3/include/mod/css.h.txt http://www.krakowlabs.com/dev/fuz/bf3/include/mod/dom.h.txt http://www.krakowlabs.com/dev/fuz/bf3/include/mod/html.h.txt http://www.krakowlabs.com/dev/fuz/bf3/include/mod/js.h.txt http://www.krakowlabs.com/dev/fuz/bf3/include/mod/xml.h.txt http://www.krakowlabs.com/dev/fuz/bf3/Makefile.txt http://www.krakowlabs.com/dev/fuz/bf3/media/bf3.jpeg http://www.krakowlabs.com/dev/fuz/bf3/media/bf3.avi http://www.krakowlabs.com/dev/fuz/bf3/samples/css/bmgsec.html.txt http://www.krakowlabs.com/dev/fuz/bf3/samples/css/style.css.txt http://www.krakowlabs.com/dev/fuz/bf3/samples/xml/index.html.txt http://www.krakowlabs.com/dev/fuz/bf3/samples/xml/cd_catalog.xml.txt http://www.krakowlabs.com/dev/fuz/bf3/doc/bf3_doc.txt http://www.krakowlabs.com/dev/fuz/bf3/bf3.tar.gz bf3_doc.txt