Collaborate Disseminate
Apache OpenOffice, one of the most popular open-source office productivity software suites, sports a RCE vulnerability (CVE-2021-33035) that could be triggered via a specially crafted document. The vulnerability has been fixed in the software’s s… Continue reading A malicious document could lead to RCE in Apache OpenOffice (CVE-2021-33035)
Thinking of how a fuzzer brute-forces a lot of input to a program to discover vulnerabilities, it seems natural that one would then consider the concept of writing a program that analyzes the target program’s structure more fundamentally /… Continue reading Is there a term for a non-brute-force version of a fuzzer?
Is there any open source mutator supporting regex?
for example, I want to generate data like below.
input: "%d%d"
output: 00, 12, 13, 46, 29, …
Previously I tried radamsa but I realized it does not support regular expression… Continue reading Any open source mutator support regex?
By Allison Husain, UC Berkeley Today, we are releasing an experimental coverage-guided fuzzer called Honeybee that records program control flow using Intel Processor Trace (IPT) technology. Previously, IPT has been scrutinized for severe underperforman… Continue reading Un-bee-lievable Performance: Fast Coverage-guided Fuzzing with Honeybee and Intel Processor Trace
Posted by Jonathan Metzman, Google Open Source Security TeamOSS-Fuzz, Google’s open source fuzzing service, now supports fuzzing applications written in Java and other Java Virtual Machine (JVM) based languages (e.g. Kotlin, Scala, etc.). Open source p… Continue reading Fuzzing Java in OSS-Fuzz
If you’re thinking of writing a paper describing an exciting novel approach to smart contract analysis and want to know what reviewers will be looking for, you’ve come to the right place. Deadlines for many big conferences (ISSTA tool papers, ASE, FSE,… Continue reading Confessions of a smart contract paper reviewer
There’s a VMWare problem that’s being exploited in the wild, according to the NSA (PDF). The vulnerability is a command injection on an administrative console. The web host backing this console is apparently running as root, as the vulnerability allows executing “commands with unrestricted privileges on the underlying operating system.” …read more
Continue reading This Week in Security: VMWare, Microsoft Teams, Python Fuzzing, and More
Context
I am playing around with a machine from hack the box. I found what appears to be a squid v. 4.6 listening on port 3128. None of my requests works
< HTTP/1.1 400 Bad Request
< Server: squid/4.6
< Mime-Version: 1.0
< Date… Continue reading Find configured domains accepted by a reverse proxy
Fuzzilii is a JavaScript engine fuzzing library, it’s a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language (“FuzzIL”) which can be mutated and translated to JavaScript.
When fuzzing for core interpreter bu… Continue reading Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it’s a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language (“FuzzIL”) which can be mutated and translated to JavaScript.
When fuzzing for core interpreter bu… Continue reading Fuzzilli – JavaScript Engine Fuzzing Library