New CSS Grammar Fuzzer

Tuesday, March 17, 2009
Original Source:
http://blog.mozilla.com/security/2009/03/17/new-css-grammar-fuzzer/

Mozilla’s Jesse Ruderman just blogged about a new CSS grammar fuzzer of his, to go along with the JS fuzzer we announced a while ago.

Fuzzers are a tool that we’ve found incredibly valuable in the past, and continue to employ heavily. A fuzzer’s job is to make your application fail by feeding it surprising inputs. The good ones do this by knowing a part of your code well enough that they can make smart guesses about how to confuse it. This one, for instance, produces a constant stream of mostly-correct CSS rules, and watches to see whether the browser can cope with them. Because fuzzers take these random paths, they can uncover subtle bugs that are rarely encountered during “normal” testing; and Jesse is a master at building them.

When Jesse originally started talking about his javascript fuzzer, he gave it to other browser vendors first, and he’s done the same with this one. If you’re interested in automated security analysis tools though, he’s now made it public, and I recommend checking it out.

Johnathan Nightingale
Human Shield

Possibly Related Articles:
11602
Webappsec->General
Consulting Information Security Service Provider
HTTP Security Firefox Mozilla
Post Rating I Like this!