My experience with the Browser Fuzzing Humla session – 31st August 2013

Written on September 4, 2013

This is a personal account of Sudhir Babu who attended the null Bangalore Browser Fuzzing Humla session taken by null Humla champion Anil Aphale.

I had an amazing experience last Saturday at Null Humla “Browser Fuzzing” session. “Browser Fuzzing”?? It was an alien concept for me, I did some work with Java script previously but I never understood why my browser ever crashed; most of the times I just ignored it , though it’s just inconvenience, my curiosity kicked in. I asked Null team for details, the presenter for the session was Anil Aphale, an independent researcher who was currently working with McAfee and had done pretty decent work with browser fuzzing. I was excited and anxious, filled the online form to sign-up for this session and was looking forward to it. I was lucky enough to get a spot.

On Saturday, on the day of the session, it was heavily pouring in Bangalore and I was 100% drenched, was little awkward entering inot ThoughWorks office for the session but it was just not me, there were so many other folks totally drenched as well ? , we also had few folks who came all the way from Mysore to attend the session. I felt everyone in the room shared same eagerness to explore fuzzing concepts and we were ready to get started. I think Anil did consider the diverse audience; we had from 2nd year engineering students to experienced security professional attending the session. He started with his first slide “What is Fuzzing?”, he had around 10 slides, with his comprehensive explanation on each slide, it was an brilliant introduction to the concept. I knew what I wanted from the session, I did not except myself to write an exploit just after the session but certainly was hoping that I understand the concept well and build basic building blocks if I like the idea. He did that brilliantly just with his slides; hands-on was a step ahead in the learning.

Well, for hands-on session I had all the pre-requisites installed on my system, for people who did not, Anil gave a USB stick with pre-requisites and some sample files for hands-on fuzzing. We started with static fuzzing, where we took about 1000 web pages and mutated into 10,000 samples using just one command in Radamsa. I was amazed to see how simple static fuzzing can be; probably Anil made it simple enough for me to understand. It was a good hour and half session doing static fuzzing and then we move to Dynamic Fuzzing. For Dynamic Fuzzing, you have re write your own java script from scratch to fuzz a browser. It was interesting; he took a code provided with Grinder (tool for Dynamic Fuzzing) and explained how anyone can write a java script to fuzz a browser using that code as template, his attention to details was the key for the audience (at least myself) to understand the code. His explanation on his own Zero day was limited but demonstration was a very good PoC for the audience. After the PoC, we said good bye’s.

Feeling excited, I rushed back home, downloaded 30 web pages and mutated into 10,000 samples to test on IE7 on my personal laptop, used Radamsa. IE on my personal system did not crash, it doesn’t when we want it to, it only does when don’t want it to. ? I was not disappointed and no worries brother, at least I knew what I was doing. I plan to go back to my books, understand browser functions better, research and look for know exploits for browsers and keep trying. I was appreciate of Anil’s time that he took from his personal life and his attitude to share openly with community.

If you plan to attend upcoming Humla session; it’s a good idea!!! Well the key to success and making the best use of your time is to ask questions. Ensure that you understand the concept and follow the demo diligently. If you are in Bangalore, it’s 30 bucks in petrol and a very good use of your Saturday !!!

Sudhir Babu B, a security enthusiastic professional who recently started attending null Bangalore chapter meetings;June null meet in Bangalore was his first null meet; works with a Big4 firm in Bangalore.