framboise icon indicating copy to clipboard operation
framboise copied to clipboard

Framboise is a fuzzer for in-depth testing of WebAPIs.


Current Release IRC

Run in Docker

docker run -e FUZZER_MAX_RUNTIME=600 -it --rm taskclusterprivate/framboise:latest ./ -settings settings/framboise.linux.docker.yaml -fuzzer 
1:Canvas2D -debug -restart

Setup for MacOS and Linux

git clone
cd framboise/framboise

Setup for Windows

  1. Ensure Python is installed.

  2. Download the pip package manager.

  3. Run these commands in the Command Prompt (Start Menu > cmd):

    git clone
    cd framboise/framboise
  4. Disable User Account Control (UAC):

    • Control Panel > User Accounts and Family Safety > User Accounts
    • Change User Account Control settings
    • Set to Never Notify
  5. Edit settings/framboise-{platform}.yaml with your own paths to the target applications.

Sample Module

 * XyzAPI References
 * WebIDL:
 * Specification:

var fuzzerXyz = (function() {
  ** Initialization
  ** Commands which shall be called at the beginning of a testcase.
  function onInit()
    let cmd = []

    return cmd

  ** Main
  ** Command which shall be called after initialization.
  function makeCommand()
    let cmd = []

    return cmd

  ** De-initialization.
  ** Commands which shall be called at the end of a testcase.
  function onFinish()
    let cmd = []

    return cmd

  ** Methods and attributes.
  let ObjectMethods = {
    'name': ['a', function() { return 'and_b' }, make.number.any]

  let ObjectAttributes = {
    'name': ['a', 'or_b', 'or_c']

  let Events = {
    'object_name': ['name']

  return {
    onInit: onInit,
    makeCommand: makeCommand,
    onFinish: onFinish,
    Events: Events

Usage Examples

The default target is set to Firefox, and the settings file points to settings/framboise.yaml; therefore both flags are omitted in the following examples.

Run a single fuzzer module:

./ -fuzzer 1:WebGL

Run a specific configuration setup of a target:

./ -fuzzer 1:Canvas2D -setup inbound64-release

Run multiple fuzzing modules in multiple worker instances and restart the target once a crash occurred:

./ -fuzzer 1:MediaSource,1:WebVTT,1:MediaRecorder -worker 3 -restart

Run a testcase against the target:

./ -testcase ~/path/to/testcase.html

Simply launch the target:

./ -launch

Help Menu

usage: [-h] [-fuzzer list] [-target name] [-setup name]
                    [-worker #] [-testcase file] [-launch] [-restart]
                    [-timeout #] [-websocket-port #] [-update name] [-list]
                    [-settings file] [-debug] [-max-commands #]
                    [-random-seed #] [-with-set-timeout] [-with-set-interval]
                    [-with-events] [-version]

Framboise Client

optional arguments:
  -h, --help          show this help message and exit
  -fuzzer list        syntax: weighting:module [,...] (default: None)
  -target name        target application (default: firefox)
  -setup name         target environment (default: default)
  -worker #           number of worker instances (default: 1)
  -testcase file      open target app with provided testcase (default: None)
  -launch             launch the target app only (default: False)
  -restart            restart crashed worker (default: False)
  -timeout #          timeout for reload (default: 0)
  -websocket-port #   WebSocket monitor port (default: None)
  -update name        run update script for target (default: None)
  -list               show a list of available modules (default: False)
  -settings file      custom settings file (default:
  -debug              print out JS errors (default: False)
  -max-commands #     maximum amount of commands (default: 100)
  -random-seed #      seed used for the PRNG (default: None)
  -with-set-timeout   make use of setTimeout() (default: False)
  -with-set-interval  make use of setInterval() (default: False)
  -with-events        make use of addEventListener() (default: False)
  -version            show program's version number and exit