3.1. one fuzzing template revealed over 100 IE UAF¶
这篇文章出自black hat Europe 2014的一篇讲稿
作者提出
– Engineers are not good at repairing
– Engineers make mistakes taking things apart (undoing)
– Engineers made mistakes putting things back together (redoing)
从这里就延伸出去想到工程师可能会犯错的地方,然后fuzzer就从下面这些地方的思路开始构造
- Explicit Pairings
– Direct: ‘on/off’, ‘true/false’, properties. - e.g.
display="block"/"none"
appendChild/removeChild
addEventListener :
focusin/focusout
- Implicit Pairings
Indirect: inheritance, nullity, state change.
e.g.
Content:
innerText=''/ document.write('')
Relation: swap parent/child node
Status:
window.navigate('') / location.reload()
- Hybrid Pairings
Complexity of mixing explicit and implicit.
Script (Dynamic) + HTML (Static)
<body contentEditable='true'>
Document.body.contentEditable='false';
Property + Method
- Pairing Combinations
– Multiple pairings per page.