-
Notifications
You must be signed in to change notification settings - Fork 131
/
Copy pathSimpleExample.html
131 lines (99 loc) · 3.91 KB
/
SimpleExample.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
<!doctype html>
<html>
<head>
<title>...AND THE MACHINE GRINDS ON!</title>
<meta http-equiv="Cache-Control" content="no-cache"/>
<style>
body {
font-family: "Courier New";
color:yellow;
background-color:orange;
}
</style>
<script type='text/javascript' src='logging.js'></script>
<script type='text/javascript'>
var logger = null;
function grind()
{
logger = new LOGGER( "SimpleExample" );
logger.starting();
/* BEGIN YOUR FUZZING CODE HERE */
var elements = [ 'div', 'input', 'textarea', 'a', 'img', 'form' ];
var counts = [ 1, 4, 8 ];
// Create some elements...
// Note: logging.js includes some helper function including rand_item( ARRAY ) and rand( MAXNUMBER )
var elementA = rand_item( elements );
var elementB = rand_item( elements );
// We must follow the pattern of calling all elements we create id_0, id_1, id_2, ... id_N
// as this is what the testcase creation routines will expect.
logger.log( "id_0 = document.createElement( '" + elementA + "' );", "grind", 1 );
var id_0 = document.createElement( elementA );
logger.log( "document.body.appendChild( id_0 );", "grind", 1 );
document.body.appendChild( id_0 );
logger.log( "id_1 = document.createElement( '" + elementB + "' );", "grind", 1 );
var id_1 = document.createElement( elementB );
logger.log( "document.body.appendChild( id_1 );", "grind", 1 );
document.body.appendChild( id_1 );
// We can include a regular comment (via '// ...comment') and this will be left as a comment
// during testcase creation.
logger.log( "// we are now begining to fuzz...", "grind", 1 );
// Perform up to 128 operations on these elements...
for( var i=0 ; i<128 ; i++ )
{
// Get a 'count' value which is the number of times to repeate any operation we pick below...
var count = rand_item( counts );
try
{
// Build an array of property names from this object and pick one. It might be for a function, event handler,
// a string value, a number value and so on...
var propertyA = [];
// we can inlcude a code comment (via '/* ...code... */') which can be optionally uncommented out during testcase creation.
// This is usefull to record when an object was accessed and may help reproduce a crash at a later stage.
logger.log( "/* tickle( id_0 ); */", "grind", 1 );
for( var p in id_0 )
propertyA.push( p );
var propA = rand_item( propertyA );
// Pick an operation to perform...
switch( rand(4) )
{
// Set some property to NULL...
case 0:
logger.log( "id_0['" + propA + "'] = null;", "grind", count );
for( var c=0 ; c<count ; c++ )
id_0[propA] = null;
break;
// Perhaps we can call this (we have performed no validation if propA is for a function of not)
case 1:
logger.log( "id_0['" + propA + "']();", "grind", count );
for( var c=0 ; c<count ; c++ )
id_0[propA]();
break;
// Perform a call and pass in object B as a parameter...
case 2:
logger.log( "id_0['" + propA + "']( id_1 );", "grind", count );
for( var c=0 ; c<count ; c++ )
id_0[propA]( id_1 );
break;
// Set some value from one object to the value of another (although we havent verified if the other property even exists)...
case 3:
logger.log( "id_0['" + propA + "'] = id_1['" + propA + "'];", "grind", count );
for( var c=0 ; c<count ; c++ )
id_0[propA] = id_1[propA];
break;
default:
break;
}
}
catch( exception )
{
// Swallow the exception and continue...
}
}
/* END YOUR FUZZING CODE HERE */
logger.finished();
window.location.href = window.location.protocol + '//' + window.location.host + '/grinder';
}
</script>
</head>
<body onload='grind();'></body>
</html>