1. 7
  1. 2

    Well done writeup, with enough detail to be interesting but not tedious. I’m looking forward to Part 2.

    My impression is that their approach is largely inspired by Google’s ClusterFuzz. Projects that meet Google’s criteria can use their “OSS-Fuzz” infrastructure, but hooray for DIY if you have the resources.

    1. 1

      I’m looking forward to the next part as well. I think this is a little bit different than clusterfuzz/ossfuzz since it is using a more cusotmized (grammar based) fuzzer, as opposed to a generic fuzzer like libfuzzer.

      I’m mostly interested to see if this is really a security issue since the sanitizer reported a segmentation fault rather than a buffer overflow. Regardless, it is still a bug that they found so it is a worthy cause.

      I’m also not a javascript expert but I’m wondering why the author was confused to find promise objects within the array: doesn’t mapping an async function over an array create an array of promises?

      1. 1

        If you read the first part of this series, this was the vulnerability they used in their pwn2own exploit.