HackerTrans
TopNewTrendsCommentsPastAskShowJobs

andrei

no profile record

Submissions

Fuzzing Go APIs for SQL Injection

blog.fuzzbuzz.io
64 points·by andrei·4 years ago·22 comments

House passes bill that DoD software can’t have any CVEs

twitter.com
19 points·by andrei·4 years ago·9 comments

Advanced Go Fuzzing Techniques

blog.fuzzbuzz.io
2 points·by andrei·4 years ago·0 comments

comments

andrei
·2 years ago·discuss
just link to the real thing :) [0]

[0]: https://twitter.com/nealagarwal/status/1747284257582506102
andrei
·3 years ago·discuss
facepalm I read that paragraph, but my brain skipped that sentence for some reason. Thanks for clarifying
andrei
·3 years ago·discuss
How is this different than just turning your TV off? I feel like I'm missing something
andrei
·4 years ago·discuss
Somewhat relevant: https://tonsky.me/blog/disenchantment/
andrei
·4 years ago·discuss
As of go 1.18, fuzzing is built into the toolchain itself, and is what we're using in this post.

We go over the basics here [0], if you'd like to start at the beginning

[0]: https://blog.fuzzbuzz.io/go-fuzzing-basics/
andrei
·4 years ago·discuss
It's much more common than you may think - especially at larger organizations where engineers go "off-script" frequently.

That being said, we wanted to highlight an example of how fuzzing can be applied to a typical (albeit, toy) API to find logic bugs, and figured SQL Injection would be something that resonated with most (all?) developers.
andrei
·4 years ago·discuss
A lot of folks we talk to think fuzzing is only useful for finding memory leaks in C++ programs, so we wanted to show how adding a single fuzz test to your API can find SQL injection and other logic bugs.

Would love to hear others' experience with Go fuzzing now that it's been out for a few months.
andrei
·4 years ago·discuss
> 2. What measures is Oven taking to proactively detect and mitigate vulnerabilities? (e.g.: fuzzing, audits, bug bounties)

We're huge fans of bun at Fuzzbuzz (waiting for it to get a bit more production-ready). If Jarred's interested, we'd be happy to donate some compute to support fuzzing Bun.

<hn username> @ fuzzbuzz.io
andrei
·4 years ago·discuss
I've heard this talked about before, and I believe there's a phrase for it, but I don't remember. Do you happen to know?