I have a client who is using an opensource platform to create their own web browser. I am having a hard time figuring out the steps I need to take to hack this thing.

1. Go to sites that perform some security testing on the browswer. I found one out of Belgim http://bcheck.scanit.be/bcheck/ . They perform some high level testing over the net which is cool, but I would like something even more intense. Any suggestions?
2. In a sandbox environment, go to sites with known malware and see how hard it is to get some applets or activex bits installed. Anyone know if there is an up-to-date list of sites with known Malware?
3. General standards based testing sites such as acid3? Any ideas?

Thanks guys for any pointers.

S

As Ketchup mentioned, you really need to get your hands on the browser and preferably the source code, though having the source code isn't always critical. Depending on the size of the program, we can sometimes produce some exploits just by fuzzing.  Going to an exploit site and just blindly blasting them at a program that was privately written is more than likely going to fail. In theory you could get lucky depending on how much code might have been "borrowed", but the odds are very much against it.