Friday 23 October 2015

DefCon 23: Extending Fuzzing Grammars to Exploit Unexplored Code Paths in Modern Web Browsers

The talk had two parts the first part was an introduction to fuzzing for the security practitioner. discussing the approaches, tool sets and integrations between tools we found to be most effective into a recipe for fuzzing various browsers and various platforms.

The second part was a description of the work and approach used to create, and extend, browser fuzzing grammars based on w3c specifications to discover new and unexplored code paths, and find new browser security bugs. In particular, example of real bugs found in the Chrome and MS Edge browser were demonstrated.

https://github.com/sensepost/wadi

https://sensepost.com/blog/2015/wadi-fuzzer/