« Undercover reporter ousted at defcon, probably pretty f@!ked | Main | eEye Gets Gets Into Web Application Security Space »

Mozilla Releases JavaScript Fuzzer at Blackhat

"Mozilla has been using an open-source application security testing tool, known as a fuzzer, for JavaScript to detect and fix dozens of security bugs in Firefox, Mozilla director of ecosystem development Window Snyder said Thursday at the Black Hat USA 2007 conference in Las Vegas. The JavaScript fuzzer found 280 bugs in Firefox, 27 of which were exploitable.

Now Mozilla is making that JavaScript fuzzer available to anyone who wants to use it, and it'll be followed later this year by fuzzers for the HTTP and FTP protocols.

"The FTP and HTTP protocol fuzzers act like fake servers that send bad data to sites," Snyder told InformationWeek.The HTTP fuzzer emulates an HTTP server to test how an HTTP client handles unexpected input. The FTP fuzzer likewise tests how an FTP client handles unexpected data.

Mozilla worked with Microsoft, Apple, and Opera before making the JavaScript fuzzer widely available in order to reduce the possibility that the tool might be used to expose vulnerabilities in those browsers. All of these browser vendors reviewed the tool and let told Mozilla know that they were okay with the release, Snyder said. "

Having written/played with http response fuzzing I gotta say, there is still a lot of bugs out there :)

Article Link: http://www.informationweek.com/news/showArticle.jhtml?articleID=201202771


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!