HackerTrans
TopNewTrendsCommentsPastAskShowJobs

andrei

no profile record

Submissions

Fuzzing Go APIs for SQL Injection

blog.fuzzbuzz.io
64 points·by andrei·4 anni fa·22 comments

House passes bill that DoD software can’t have any CVEs

twitter.com
19 points·by andrei·4 anni fa·9 comments

Advanced Go Fuzzing Techniques

blog.fuzzbuzz.io
2 points·by andrei·4 anni fa·0 comments

Go Fuzz Testing

blog.fuzzbuzz.io
114 points·by andrei·4 anni fa·22 comments

comments

andrei
·2 anni fa·discuss
just link to the real thing :) [0]

[0]: https://twitter.com/nealagarwal/status/1747284257582506102
andrei
·3 anni fa·discuss
facepalm I read that paragraph, but my brain skipped that sentence for some reason. Thanks for clarifying
andrei
·3 anni fa·discuss
How is this different than just turning your TV off? I feel like I'm missing something
andrei
·4 anni fa·discuss
Somewhat relevant: https://tonsky.me/blog/disenchantment/
andrei
·4 anni fa·discuss
As of go 1.18, fuzzing is built into the toolchain itself, and is what we're using in this post.

We go over the basics here [0], if you'd like to start at the beginning

[0]: https://blog.fuzzbuzz.io/go-fuzzing-basics/
andrei
·4 anni fa·discuss
It's much more common than you may think - especially at larger organizations where engineers go "off-script" frequently.

That being said, we wanted to highlight an example of how fuzzing can be applied to a typical (albeit, toy) API to find logic bugs, and figured SQL Injection would be something that resonated with most (all?) developers.
andrei
·4 anni fa·discuss
A lot of folks we talk to think fuzzing is only useful for finding memory leaks in C++ programs, so we wanted to show how adding a single fuzz test to your API can find SQL injection and other logic bugs.

Would love to hear others' experience with Go fuzzing now that it's been out for a few months.
andrei
·4 anni fa·discuss
> 2. What measures is Oven taking to proactively detect and mitigate vulnerabilities? (e.g.: fuzzing, audits, bug bounties)

We're huge fans of bun at Fuzzbuzz (waiting for it to get a bit more production-ready). If Jarred's interested, we'd be happy to donate some compute to support fuzzing Bun.

<hn username> @ fuzzbuzz.io
andrei
·4 anni fa·discuss
I've heard this talked about before, and I believe there's a phrase for it, but I don't remember. Do you happen to know?
andrei
·4 anni fa·discuss
Good catch :) fixed!
andrei
·4 anni fa·discuss
It does! Fuzzing actually started off as a tool built by security researchers to find vulnerabilities in parsers, and other complex codebases, usually written in C/C++ (looking for memory bugs). So anything that deals with untrusted binary data is a prime candidate for fuzz testing.

Go’s fuzzing framework supports `[]byte` arguments as well as all of the standard Go primitives, so you should be able to test netcode this way.

If you're looking for a C/C++ solution, my recommendation is libfuzzer [0]. We've also built our own C/C++ fuzzing engine at Fuzzbuzz [1].

[0] https://llvm.org/docs/LibFuzzer.html

[1] https://docs.fuzzbuzz.io/docs/getting-started-in-c-or-c++
andrei
·4 anni fa·discuss
This was a big reason for why our entire eng team moved to linux