Today I'm sharing an IE Fuzzer, which was developed almost from scratch. Like many other softwares, browsers can also be fuzzed in two ways, a) Static and b) Dynamic.
Dynamic browser fuzzers are very popular, due to its speed, since they are purely written in JavaScript. However one common problem software security auditors face, while fuzzing browser dynamically, is 'Crash Reproduction'. You have to very careful while crafting your JS browser fuzzer (by placing logging code in right place), otherwise crash will not be reproducible.
Another option is, Static fuzzer. If you are fuzzing browsers using Static Test Cases, in 99% cases 'A crash' == 'A reproducible crash'.
This Static IE fuzzer is written in python. And following modules were used.
To run this Fuzzer you have to make following changes in IE:
1. Since this fuzzer loads the test cases locally (eg. file://c:/fuzzer/testcases/temp.html) as .html file.
You must turn off IE's ActiveX warning prompt by following below instructions.
Tools (menu) -> Internet Options -> Security (tab) -> Custom Level (button) -> Disable Automatic prompting for ActiveX controls.
2. You also need to disable IE protected mode to be able to control Internet Explorer using Python 'win32com'. Please be aware of the risks.
-> Internet Options -> Security -> Trusted Sites : Low
-> Internet Options -> Security -> Internet : Medium + unchecked Enable Protected Mode
-> Internet Options -> Security -> Restricted Sites : unchecked Enable Protected Mode
You can write you own static test case generator for this fuzzer in python. You have to place it inside /TestCases folder. For your reference one sample is given here 'TestCases/SampleTestCase.py'. While writing test cases do remember, it should have a 'TestCase' class and 'getFinalTestCase()' method in it. This getFinalTestCase() method should return the entire html page.
In case of dynamic fuzzer, attributes of different html elements extracted from object and fuzzed on the fly at runtime , since its a static fuzzer we can pre define html elements and their attributes our test case as python dict.
attr = {'CANVAS':['height','width','getContext', ... , ... , ... ]}
Source Code:
Source code of IEFuzz is available for download @ my github page.
This software is licenced under BEER WARE licence although the following libraries are included with 'IEFuzz' and are licensed separately.
One video demo is available here, on how to run this fuzzer and reproduce crashes.
Happy Fuzzing :) :)