"Mozilla has been using an open-source application security testing
tool, known as a fuzzer, for JavaScript to detect and fix dozens of
security bugs in Firefox, Mozilla director of ecosystem development
Window Snyder said Thursday at the Black Hat USA 2007 conference in Las
Vegas. The JavaScript fuzzer found 280 bugs in Firefox, 27 of which
were exploitable.
Now Mozilla is making that JavaScript fuzzer available to
anyone who wants to use it, and it'll be followed later this year by
fuzzers for the HTTP and FTP protocols.
"The FTP and HTTP protocol fuzzers act like fake servers that
send bad data to sites," Snyder told InformationWeek.The HTTP fuzzer
emulates an HTTP server to test how an HTTP client handles unexpected
input. The FTP fuzzer likewise tests how an FTP client handles
unexpected data.
Mozilla worked with Microsoft, Apple, and Opera before making
the JavaScript fuzzer widely available in order to reduce the
possibility that the tool might be used to expose vulnerabilities in
those browsers. All of these browser vendors reviewed the tool and let
told Mozilla know that they were okay with the release, Snyder said. "
Having written/played with http response fuzzing I gotta say, there is still a lot of bugs out there 🙂
Article Link: http://www.informationweek.com/news/showArticle.jhtml?articleID=201202771
