bf3_doc.txt
01.16.2010

Krakow Labs Development [www.krakowlabs.com]
Browser Fuzzer 3 Documentation
jbrown@KL (Jeremy Brown) [jbrown@krakowlabs.com]

------------------------------------------------------------------------------------------------------------------

WHAT IS IT?

Browser Fuzzer 3, or bf3, is a comprehensive web browser fuzzer.

------------------------------------------------------------------------------------------------------------------

FEATURES

Fuzzes CSS, DOM, HTML, JavaScript and XML
Attended and Unattended Fuzzing Modes
7th Generation Fuzzing Oracle
Random Data Generator
Mutation Fuzzing Engine

------------------------------------------------------------------------------------------------------------------

HOW DOES IT WORK?

Browser Fuzzer 3 is designed as a hybrid framework/standalone fuzzer; the modules it uses are extendable but also
highly integrated into the core. bf3 can be used via command line to set all necessary flags for each fuzzing
operation. After initialization, bf3 creates test cases in a numbered system. Fuzzing is automated through the
browser using the refresh method. If error is detected, server logs can provide insight to the offending test case.

------------------------------------------------------------------------------------------------------------------

USAGE DETAILS

USAGE:   ./bf3 <-M #> <-A/-U> <-O/-R #> [-Z #]
               [-X file.ext] [-x extra.html] [-P /www]

INFO:    [-T Fuzzing Oracle] [-D Modules Available]


-M: target module
-A: attended fuzzing mode (dom/js only)
-U: unattended fuzzing mode
-O: use the fuzzing oracle
-R: use random generation
-Z: max number of bytes (random generation)
-X: file to parse for mutation
-x: extra file for mutation (css/xml only)
-P: test case output directory (full path)

-T: list fuzzing oracle
-D: list modules available


              [Modules Available]

    (1) Cascading Style Sheets     (CSS) 
    (2) Document Object Model      (DOM)
    (3) HyperText Markup Language  (HTML)
    (4) JavaScript                 (JS) 
    (5) Extensible Markup Language (XML)


Example Usage

"Fuzz JavaScript in Unattended Mode with the Fuzzing Oracle and output test cases to /var/www"
---->
./bf3 -M 3 -U -O -P /var/www


"Fuzz DOM in Attended Mode with Random Data up to 10,000 bytes and output 10,000 test cases to /var/www/dom"
---->
./bf3 -M 2 -A -R 10000 -Z 10000 -P /var/www/dom


"Fuzz CSS by mutating file.css with Random Data up to 100,000 bytes (default) and use file.html to display
the data, output to /var/www/cssm (total number of test cases = 100 x number of characters in file.css)"
---->
./bf3 -M 1 -U -R 100 -X /home/linux/bf3/samples/css/style.css -x /home/linux/bf3/samples/css/bmgsec.html -P /www/css


"Fuzz JavaScript in Unattended Mode by generating 1,000,000 random test cases and output to /var/www/js"
---->
./bf3 -M 4 -U -R 1000000 -P /var/www/js


"Fuzz XML in Unattended Mode with Random data and output 100,000 test cases to /var/www/xml"
---->
./bf3 -M 5 -U -R 100000 -P /var/www/xml


If you notice an anomaly in the target while processing test cases and you have access to the logs at the server
which is hosting them, you can do this to figure out which one you need to save and further research:

fuzz@linux:~$ grep -i chrome /var/log/apache2/access.log | tail -1
10.10.1.111 - - [09/Jan/2010:09:54:54 -0500] "GET /xml1/xml334761.html HTTP/1.1" 200 756
"http://10.10.1.110/xml1/xml334760.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0
(KHTML, like Gecko) Chrome/3.0.195.38 Safari/532.0"

------------------------------------------------------------------------------------------------------------------

NOTES

Attended mode fuzzes things that may need attention (a click of the mouse, etc) like JS alert() and prompt()

During all fuzzing generation except mutation, -R = # of test cases. During mutation, # of test cases is
-R # x number of characters in the target file

Make sure you remove any data that would conflict with the automated fuzzing process in the extra file when
using mutation

When mutation fuzzing XML, you must make sure the xml variable's name is "Document". Please replace the var
in the extra file with "Document" to make things work correctly

This could be the first project to go from C (bf) to PERL (bf2) and back to C again (bf3) :]

------------------------------------------------------------------------------------------------------------------

Associated Files & Information:
http://www.krakowlabs.com/dev/fuz/bf3/bf3
http://www.krakowlabs.com/dev/fuz/bf3/bf3.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/cli.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/core.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/gen.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/mut.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/oracle.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/rand.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/mod/css.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/mod/dom.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/mod/html.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/mod/js.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/mod/xml.c.txt
http://www.krakowlabs.com/dev/fuz/bf3/include/core.h.txt
http://www.krakowlabs.com/dev/fuz/bf3/include/oracle.h.txt
http://www.krakowlabs.com/dev/fuz/bf3/include/random.h.txt
http://www.krakowlabs.com/dev/fuz/bf3/include/mod/css.h.txt
http://www.krakowlabs.com/dev/fuz/bf3/include/mod/dom.h.txt
http://www.krakowlabs.com/dev/fuz/bf3/include/mod/html.h.txt
http://www.krakowlabs.com/dev/fuz/bf3/include/mod/js.h.txt
http://www.krakowlabs.com/dev/fuz/bf3/include/mod/xml.h.txt
http://www.krakowlabs.com/dev/fuz/bf3/Makefile.txt
http://www.krakowlabs.com/dev/fuz/bf3/media/bf3.jpeg
http://www.krakowlabs.com/dev/fuz/bf3/media/bf3.avi
http://www.krakowlabs.com/dev/fuz/bf3/samples/css/bmgsec.html.txt
http://www.krakowlabs.com/dev/fuz/bf3/samples/css/style.css.txt
http://www.krakowlabs.com/dev/fuz/bf3/samples/xml/index.html.txt
http://www.krakowlabs.com/dev/fuz/bf3/samples/xml/cd_catalog.xml.txt
http://www.krakowlabs.com/dev/fuz/bf3/doc/bf3_doc.txt
http://www.krakowlabs.com/dev/fuz/bf3/bf3.tar.gz
bf3_doc.txt