Cafou Jedi aime les FRAISES 🍓
💾 Paweł Łukasik
defnullI would have never found this myself, because I would have had no reason to look for it. It's a single character typo in a regular expression that has no effect on the intended functionality, but leads to catastrophic backtracking when fed with malicious input. Why typo? Because the same pattern is used twice, and only one of them was bad.
The library has 100% test coverage, including malicious input scenarios. But for this kind of issues you'd need a fuzzer. Maybe I should look into #fuzzing?
Advanced Fuzzing LeagueAFL++ v4.40c release - best performance ever - optimal hidden coverage instrumentation, FrameShift, LLVM 22 support, IJON fixes, a lot of minor and bigger enhancements! #fuzzer #fuzzing https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.40c
danzinlabeille runs test suites from popular PyPI packages against a JIT-enabled CPython build and catches crashes: segfaults, assertion failures, etc.
If all of requests, flask, attrs, etc. pass their tests under the JIT, that shows the JIT is working. If one crashes, there's a bug with a reproducer. We've found one crash so far: https://github.com/python/cpython/issues/145197
This requires curating a local package registry with repo URLs, install and test commands, etc.
I've been working on a new Python tool: labeille. Its main purpose is to look for CPython JIT crashes by running real world test suites.
https://github.com/devdanzin/labeille
But it's grown a feature that might interest more people: benchmarking using PyPI packages.
How does that work?
labeille allows you to run test suites in 2 different configurations. Say, with coverage on and off, or memray on and off. Here's an example:
https://gist.github.com/devdanzin/63528343df98779b5fedf657bf8286cd
Rev. caffinepwrd ☕Trumpairport.com was registered 2/21/2022. There's a blank page with Google analytics. The site is hosted on Wix. DNS for email is not configured.
I'll spend some time fuzzing DNS to see if there are any clues. Maybe try fuzzing urls to see if anything else is there.
AddisonWanna learn more about #fuzzing? The AFL++ community has moved to Zulip: https://fuzz.zulipchat.com
Come join us! #LeaveDiscord
Come join us! #LeaveDiscord
postmodernCan anyone recommend me blog posts or talks on setting up your own fuzzing cluster? I'm curious whether fuzzing aficionados still use regular processes on bare metal for performance, or have they embraced containers and Kubernetes (or Docker Swarm, or Rancher, or Nomad)? I suspect containers must add some degree of latency, but make deploying new test harnesses much easier. Also, is it cheaper to setup your cluster "in the cloud", or host your own fuzzing cluster on your own hardware?
Fraunhofer FOKUS... um Sicherheitslücken und Stabilitätsprobleme früh sichtbar zu machen.
Hier unterstützt unsere Schulung „Security Testing mit Fuzzing“!
Format: 2 Tage Präsenz + Online Session
Zielgruppe: Teams und Verantwortliche aus Entwicklung, Test und Qualitätssicherung.
Ort: Fraunhofer FOKUS in Berlin
Nächste Termine 2026: 05.–06.05., 23.–24.06., 29.–30.09., 24.–25.11.
👉🏻 https://www.fokus-akademie.de/de/kurse/fuzzing-security-testing.html
#fuzzing #SoftwareTesting #cybersecurity #devsecops #QualityEngineering #CyberResilienceAct