security-wg
security-wg copied to clipboard
nodejs
Fuzzing Node.js core
Hello All,
Microsoft has granted us access to Microsoft Security Risk Detection (https://docs.microsoft.com/en-us/security-risk-detection/). This tool enables us to fuzz Node.js core in order to find possible vulnerabilities. With @mrkmarron, we created a first test session that fuzzed the zlib module with txt inputs (no issues were found ;) ). I will start a new sessions of testing on the same mocule but with more complex inputs (exe, dll, txt, xml, json, JavaScript source code, ...).
The questions here:
- is anyone else interested in this topic?
- which core modules should we test in priority? With which methodology?
I would expect code used outside of node (zlib, OpenSSL, v8's JSON parser) to be fairly robust. I suspect the inspector protocol's ws socket might be vulnerable to fuzzing because its newer and less tested. Also less interesting because its essentially insecure ;-).
The http_parser would be well worth fuzzing, its not used so much outside of node, and vulnerabilities there would be remotely exploitable.
What do you mean by "methodology"?
👍 to test these. Right now, I am not sure how to test these with this tool, my understanding is it is mostly designed to test anything that takes a file as an input, so I'm clear on how we can partially test parts of the http_parser (like mutating HTTP headers, HTTP body, one by one) the question would be, would that make sense to do it that way?
it is mostly designed to test anything that takes a file as an input, so I'm clear on how we can partially test parts of the http_parser
Did you mean "not clear"?
If its file based, it might take some effort to get the files into the http_parser, but its absolutely worth fuzzing the protocol parser.
I can have a HTTP client that take a file in input and set the file content as HTTP header or HTTP body to fuzz this part right? That's what I had in mind :)
Good point for the protocol parser, at the end of the day we need an executable (win32), optionaly command line arguments for this executable and 5 to 1K seed files.
I can have a HTTP client that take a file in input and set the file content as HTTP header or HTTP body to fuzz this part right? That's what I had in mind :)
Good point for the protocol parser, at the end of the day we need an executable (win32), optionaly command line arguments for this executable and 5 to 1K seed files.
This is a great idea.
I'm interested in this + helping if possible but have no clue how it would work 😄
I'll add fuzzing plans on the repo and let's iterate over the PRs then :)
We'll be happy to help you integrate with Oss-Fuzz if you want :)
Even though typical integrations can be done in < 100 LoC, we have a reward program in place which aims to recognize folks who are not just contributing to open source, but are also working hard to make it more secure.
We want to stress that anyone who meets the eligibility criteria and integrates a project with OSS-Fuzz is eligible for a reward.
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}