Im currently starting a project on browser fuzzing, i want to find out given a input considerably trimmed down; how will the browser will process it. The problem where im running into is finding out how to figure out if a browser throws an event such as alert('xss'). Quite simply looking into what the server returns isnt good enough, but this requires manual testing sometimes. and it can be rather annoying. I'd like to automate this in some kind of cli while being able to figure out if its a vulnerability to IE's, mozilla, etc. rendering engine for example. Anyone have any pointers, it would be greatly appreciated.

trix

Yah, I have a trick I've been doing to avoid the popups. Check out http://ha.ckers.org/weird/variable-width-encoding.cgi in Internet Explorer to see what I'm talking about. I update a text box with the functions that worked. It helps get around the manual testing. The problem with this is it actually can completely break if you go to the infinite degree because it will run into situations where you output stuff like <plaintext> or whatever that break everything below it. It's still a very manual process, I've found.

Using the IE ActiveX Object, you can catch events, such as OnNewWindowOpen. Open a popup window, set a token as url and catch it.
About 10 lines of code in delphi, I wasn't in to the mozilla code, but some lines of code should make it, too..

That's not a bad idea. When I was talking about this with Dinis Cruz he said I could build hooks into IE with .NET... but I think you hit on the exact problem, I don't need this to work in just one browser, but all three major browsers, and sometimes what you find completely breaks everything around it. I haven't found a bullet proof solution yet because you need to know what happens in browser space. For instance, the downlevel hidden block in IE.

How would you catch that, exactly? You have to know to put a normal vector inside of an IE comment block. It's tricky at best to do manually, and I'm not sure how an automated system could possibly catch that. That's one of the reasons I've been hanging around the metasploit guys. I think it's closer to being a metasploit project problem where a few people come up with a few common attack patterns and the rest of the community uses those, rather than finding all possible attack strings for everything, which is cumbersome.

Well once I get the basic browser fuzzing to work then I could generate a ruleset which i could enumerate through. Say the browser updated, you can still test for vulnerabilities in the browser rendering engine rather than manually go through all the tests manually. I mean doing this manually is viable, but I feel that its a repetitive process that could be automated. Who knows perhaps your right it might become a metasploit project, we'll have to see.

Well before you get too far into the project let me know which path you take, I can probably save you time. For instance there are certain ASCII ranges that are better to search through for identifying potential problems than others. So if you have limited time/resources it's faster to search through those than others to get a better sampling of which potential chars have a greater potential for causing problems. So far it has worked really well in narrowing down the possible charachter sets.