HackerTrans
TopNewTrendsCommentsPastAskShowJobs

andrei

no profile record

Submissions

Fuzzing Go APIs for SQL Injection

blog.fuzzbuzz.io
64 points·by andrei·4 năm trước·22 comments

House passes bill that DoD software can’t have any CVEs

twitter.com
19 points·by andrei·4 năm trước·9 comments

Advanced Go Fuzzing Techniques

blog.fuzzbuzz.io
2 points·by andrei·4 năm trước·0 comments

Go Fuzz Testing

blog.fuzzbuzz.io
114 points·by andrei·4 năm trước·22 comments

comments

andrei
·2 năm trước·discuss
just link to the real thing :) [0]

[0]: https://twitter.com/nealagarwal/status/1747284257582506102
andrei
·3 năm trước·discuss
facepalm I read that paragraph, but my brain skipped that sentence for some reason. Thanks for clarifying
andrei
·3 năm trước·discuss
How is this different than just turning your TV off? I feel like I'm missing something
andrei
·4 năm trước·discuss
Somewhat relevant: https://tonsky.me/blog/disenchantment/
andrei
·4 năm trước·discuss
As of go 1.18, fuzzing is built into the toolchain itself, and is what we're using in this post.

We go over the basics here [0], if you'd like to start at the beginning

[0]: https://blog.fuzzbuzz.io/go-fuzzing-basics/
andrei
·4 năm trước·discuss
It's much more common than you may think - especially at larger organizations where engineers go "off-script" frequently.

That being said, we wanted to highlight an example of how fuzzing can be applied to a typical (albeit, toy) API to find logic bugs, and figured SQL Injection would be something that resonated with most (all?) developers.
andrei
·4 năm trước·discuss
A lot of folks we talk to think fuzzing is only useful for finding memory leaks in C++ programs, so we wanted to show how adding a single fuzz test to your API can find SQL injection and other logic bugs.

Would love to hear others' experience with Go fuzzing now that it's been out for a few months.
andrei
·4 năm trước·discuss
> 2. What measures is Oven taking to proactively detect and mitigate vulnerabilities? (e.g.: fuzzing, audits, bug bounties)

We're huge fans of bun at Fuzzbuzz (waiting for it to get a bit more production-ready). If Jarred's interested, we'd be happy to donate some compute to support fuzzing Bun.

<hn username> @ fuzzbuzz.io
andrei
·4 năm trước·discuss
I've heard this talked about before, and I believe there's a phrase for it, but I don't remember. Do you happen to know?
andrei
·4 năm trước·discuss
Good catch :) fixed!
andrei
·4 năm trước·discuss
It does! Fuzzing actually started off as a tool built by security researchers to find vulnerabilities in parsers, and other complex codebases, usually written in C/C++ (looking for memory bugs). So anything that deals with untrusted binary data is a prime candidate for fuzz testing.

Go’s fuzzing framework supports `[]byte` arguments as well as all of the standard Go primitives, so you should be able to test netcode this way.

If you're looking for a C/C++ solution, my recommendation is libfuzzer [0]. We've also built our own C/C++ fuzzing engine at Fuzzbuzz [1].

[0] https://llvm.org/docs/LibFuzzer.html

[1] https://docs.fuzzbuzz.io/docs/getting-started-in-c-or-c++
andrei
·4 năm trước·discuss
This was a big reason for why our entire eng team moved to linux