Browsers are some kind of target which is interesting for almost every security researcher. The reasons are pretty obvious: first of all, there is a large space of affected users. In addition, there are several bug bounty contests like Pwnium which provide attractive rewards for discovering browser vulnerabilities. Last but not least, many browser bugs are exploitable with common techniques like heap spraying.
The main target of a browser fuzzer is to trigger memory corruption flaws like use after free and double free vulnerabilities. This can be accomplished by creating random DOM structures with object generation, deletion, mutation and reference stress testing.
What is bamboo.js?
- bamboo.js is an attempt to create a fast and reliable DOM fuzzer for discovering security vulnerabilities in web browsers
- The fuzzing scope contains DOM level 1, 2 and 3
- The main module triggers semi-random object modifications and creates insecure references
- Other modules can be added easily
- Reliable logging by using WebSockets
Internet Explorer is not supported yet due missing data-URL support.
The following features will be available in the next deployment:
- Object ranges and NodeIterator fuzzing
- Unicode fuzzing (will be an external module)
To get started fuzzing with bamboo.js, clone the current repository to your local web root directory and run the server (server.rb).
The latest source code is available at GitHub.