HackerTrans
TopNewTrendsCommentsPastAskShowJobs

andrei

no profile record

Submissions

Fuzzing Go APIs for SQL Injection

blog.fuzzbuzz.io
64 points·by andrei·4 tahun yang lalu·22 comments

House passes bill that DoD software can’t have any CVEs

twitter.com
19 points·by andrei·4 tahun yang lalu·9 comments

Advanced Go Fuzzing Techniques

blog.fuzzbuzz.io
2 points·by andrei·4 tahun yang lalu·0 comments

Go Fuzz Testing

blog.fuzzbuzz.io
114 points·by andrei·4 tahun yang lalu·22 comments

comments

andrei
·2 tahun yang lalu·discuss
just link to the real thing :) [0]

[0]: https://twitter.com/nealagarwal/status/1747284257582506102
andrei
·3 tahun yang lalu·discuss
facepalm I read that paragraph, but my brain skipped that sentence for some reason. Thanks for clarifying
andrei
·3 tahun yang lalu·discuss
How is this different than just turning your TV off? I feel like I'm missing something
andrei
·4 tahun yang lalu·discuss
Somewhat relevant: https://tonsky.me/blog/disenchantment/
andrei
·4 tahun yang lalu·discuss
As of go 1.18, fuzzing is built into the toolchain itself, and is what we're using in this post.

We go over the basics here [0], if you'd like to start at the beginning

[0]: https://blog.fuzzbuzz.io/go-fuzzing-basics/
andrei
·4 tahun yang lalu·discuss
It's much more common than you may think - especially at larger organizations where engineers go "off-script" frequently.

That being said, we wanted to highlight an example of how fuzzing can be applied to a typical (albeit, toy) API to find logic bugs, and figured SQL Injection would be something that resonated with most (all?) developers.
andrei
·4 tahun yang lalu·discuss
A lot of folks we talk to think fuzzing is only useful for finding memory leaks in C++ programs, so we wanted to show how adding a single fuzz test to your API can find SQL injection and other logic bugs.

Would love to hear others' experience with Go fuzzing now that it's been out for a few months.
andrei
·4 tahun yang lalu·discuss
> 2. What measures is Oven taking to proactively detect and mitigate vulnerabilities? (e.g.: fuzzing, audits, bug bounties)

We're huge fans of bun at Fuzzbuzz (waiting for it to get a bit more production-ready). If Jarred's interested, we'd be happy to donate some compute to support fuzzing Bun.

<hn username> @ fuzzbuzz.io
andrei
·4 tahun yang lalu·discuss
I've heard this talked about before, and I believe there's a phrase for it, but I don't remember. Do you happen to know?
andrei
·4 tahun yang lalu·discuss
Good catch :) fixed!
andrei
·4 tahun yang lalu·discuss
It does! Fuzzing actually started off as a tool built by security researchers to find vulnerabilities in parsers, and other complex codebases, usually written in C/C++ (looking for memory bugs). So anything that deals with untrusted binary data is a prime candidate for fuzz testing.

Go’s fuzzing framework supports `[]byte` arguments as well as all of the standard Go primitives, so you should be able to test netcode this way.

If you're looking for a C/C++ solution, my recommendation is libfuzzer [0]. We've also built our own C/C++ fuzzing engine at Fuzzbuzz [1].

[0] https://llvm.org/docs/LibFuzzer.html

[1] https://docs.fuzzbuzz.io/docs/getting-started-in-c-or-c++
andrei
·4 tahun yang lalu·discuss
This was a big reason for why our entire eng team moved to linux