DEV Community: FuzzingWeekly

Fuzzing: The State of the Art - FuzzingWeekly CW20

FuzzingWeekly — Thu, 18 May 2023 08:29:00 +0000

This week’s theme is Back to Basics.

Fuzzing software is not a new technique and dates back to at least 1988, if not earlier. The first fuzzers were based on randomly or pseudo-randomly generated inputs to find bugs in a piece of software. Fuzzers have grown in sophistication over the years, incorporating artificial intelligence, among other things. Since then, fuzzing has become an important tool in software security and testing and an interesting technique to study in computer science. Let’s take a look at some of the basic ideas.

And for your enjoyment, here’s a fuzzy scarf (work in progress):

This week's articles:

Fuzzing: The State of the Art - https://apps.dtic.mil/sti/pdfs/ADA558209.pdf

What is Fuzz Testing? - https://www.code-intelligence.com/what-is-fuzz-testing

Fuzzing 101: Tools and Exercises - https://github.com/antonio-morales/Fuzzing101

https://www.fuzztesting.io/fuzzing-weekly

Fuzzing the JVM - FuzzingWeekly CW 19

FuzzingWeekly — Thu, 11 May 2023 08:02:57 +0000

The theme of this week's rendition of Fuzzing Weekly is Java Virtual Machine (JVM) fuzzing, meaning languages built on top of the JVM and the JVM itself.

Here you go:

Confuzzion: A Java Virtual Machine Fuzzer for Type Confusion Vulnerabilities: https://ieeexplore.ieee.org/abstract/document/9724749

Coverage-DirectedDifferentialTestingofJVMImplementations: https://wcventure.github.io/FuzzingPaper/Paper/PLDI16_JVM.pdf

Kaizen: A Scalable Concolic Fuzzing Tool for Scala: https://dl.acm.org/doi/pdf/10.1145/3426426.3428487

Until next week!

https://www.fuzztesting.io/fuzzing-weekly

Things you didn’t know you could fuzz - FuzzingWeekly CW17

FuzzingWeekly — Fri, 28 Apr 2023 13:00:44 +0000

Fuzzing cURL:
https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/

Fuzzing Cars:
https://argus-sec.com/blog/cyber-security-blog/how-fuzzing-complements-penetration-testing-for-optimal-vehicle-cybersecurity/

Fuzzing KDL:
https://github.com/kdl-org/kdl/discussions/314

https://www.fuzztesting.io/fuzzing-weekly

FuzzingWeekly CW15: Another Expression DoS Vulnerability Found in Spring - CVE-2023-20863

FuzzingWeekly — Fri, 14 Apr 2023 16:19:30 +0000

Another Expression DoS Vulnerability Found in Spring - CVE-2023-20863:
https://www.code-intelligence.com/blog/expression-dos-spring-part-2

Fuzzing Web Applications with Wfuzz | HackTheBox baby todo or not todo:
https://www.youtube.com/watch?v=008QxzctzqQ

CAN do attitude: How thieves steal cars using network bus:
https://www.theregister.com/2023/04/06/can_injection_attack_car_theft/

https://www.fuzztesting.io/fuzzing-weekly

UTopia: From Unit Tests To Fuzzing - Fuzzing Weekly CW13

FuzzingWeekly — Fri, 31 Mar 2023 15:15:52 +0000

UTopia: From Unit Tests To Fuzzing:
https://research.samsung.com/blog/UTopia-From-unit-tests-to-fuzzing

Random Fuzzy Thoughts:
https://tigerbeetle.com/blog/2023-03-28-random-fuzzy-thoughts

Introducing Microsoft Security Copilot: Empowering defenders at the speed of AI:
https://blogs.microsoft.com/blog/2023/03/28/introducing-microsoft-security-copilot-empowering-defenders-at-the-speed-of-ai

https://www.fuzztesting.io/fuzzing-weekly

GitHub says: Fuzz Your Code! - FuzzingWeekly CW11

FuzzingWeekly — Fri, 17 Mar 2023 11:11:16 +0000

GitHub says: Fuzz Your Code!:
https://twitter.com/github/status/1636022681542828033?s=20

If Developers Get Enabled to Test Their Own Code, Everybody Wins:
https://devm.io/javascript/fuzz-testing-jest-jazzer

6 CVEs Fixed in OpenSIPS:
https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=fuzzing&search_type=all&isCpeNameSearch=false

https://www.fuzztesting.io/fuzzing-weekly

Using the World's Worst Fuzzer to Find a Kernel Bug - FuzzingWeekly CW9

FuzzingWeekly — Fri, 03 Mar 2023 10:42:57 +0000

Using the World's Worst Fuzzer to Find a Kernel Bug:
https://stigward.github.io/posts/fiio-m6-kernel-bug/

Unit Testing Vs Fuzz Testing - Two Sides Of The Same Coin?
https://www.code-intelligence.com/blog/unit-testing-vs-fuzz-testing

API Fuzzing: What it is and why you should use it
https://youtu.be/wX3GMJY9B6A

https://www.fuzztesting.io/fuzzing-weekly

One Weird Trick to Improve Bug Finding With ASAN - Fuzzing Weekly CW8

FuzzingWeekly — Fri, 24 Feb 2023 10:21:53 +0000

One Weird Trick to Improve Bug Finding With ASAN:
https://landaire.net/one-weird-asan-trick/

How To Fuzz JavaScript With Jest And Jazzer.Js:
https://www.code-intelligence.com/blog/fuzzing-javascript-jazzer.js

Fuzzing research digest – January 2023:
https://www.reddit.com/user/BondiFuzz_com/comments/113s8e2/fuzzing_research_digest_january_2023/

#FuzzingWeekly CW7:

FuzzingWeekly — Fri, 17 Feb 2023 10:23:12 +0000

cURL Audit: How a Joke Led to Significant Findings: https://www.linkedin.com/pulse/fuzzing-atmpos-protocols-like-boss-karim-reda-fakhir/?published=t

Phylum Discovers Revived Crypto Wallet Address Replacement Attack: https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack

boofuzz Network Protocol Fuzzing for Humans
https://www.youtube.com/watch?v=AIpTims5sXI

Can sanitizers find the two bugs I wrote in C++? - Fuzzing Weekly CW6

FuzzingWeekly — Fri, 10 Feb 2023 10:54:25 +0000

Can sanitizers find the two bugs I wrote in C++?
https://ahelwer.ca/post/2023-02-07-cpp-bugs-sanitized/

Fuzzing ATM/POS protocols like a Boss:
https://www.linkedin.com/pulse/fuzzing-atmpos-protocols-like-boss-karim-reda-fakhir/?published=t

How to build a unified workflow for functional and security testing using JUnit:
https://securitysenses.com/videos/how-build-unified-workflow-functional-and-security-testing-using-junit

Google’s OSS-Fuzz will add JavaScript in 2023 - Fuzzing Weekly CW5

FuzzingWeekly — Fri, 03 Feb 2023 09:24:11 +0000

OSS-Fuzz announced to add JavaScript support in 2023:
https://security.googleblog.com/2023/02/taking-next-step-oss-fuzz-in-2023.html

Reachable Coverage: Estimating Saturation in Fuzzing:
https://mboehme.github.io/paper/ICSE23.Effectiveness.pdf

Google Boosts Bounties for Open-Source Flaws Found Via Fuzzing:
https://www.theregister.com/2023/02/01/google_fuzz_rewards/

https://www.fuzztesting.io/fuzzing-weekly

Critical RCE Vulnerabilities Found in git - Fuzzing Weekly CW4

FuzzingWeekly — Fri, 27 Jan 2023 09:58:30 +0000

Critical RCE Vulnerabilities Found in git (CVE-2022-4190, CVE-2022-23251):
https://www.helpnetsecurity.com/2023/01/19/git-critical-vulnerabilities/

Fuzzing the Shield: CVE-2022-24548:
https://medium.com/s2wblog/fuzzing-the-shield-cve-2022-24548-96f568980c0

A Framework for Blackbox Fuzzing Using Context-Free Grammars:
https://www.diva-portal.org/smash/record.jsf?aq2=%5B%5B%5D%5D&c=23&af=%5B%5D&searchType=LIST_LATEST&sortOrder2=title_sort_asc&language=en&pid=diva2%3A1729911&aq=%5B%5B%5D%5D&sf=all&aqe=%5B%5D&sortOrder=author_sort_asc&onlyFullText=false&noOfRows=50&dswid=2577