December 18, 2009 at 8:14 pm #4502kitchensyncParticipant
I have a client who is using an opensource platform to create their own web browser. I am having a hard time figuring out the steps I need to take to hack this thing.
1. Go to sites that perform some security testing on the browswer. I found one out of Belgim http://bcheck.scanit.be/bcheck/ . They perform some high level testing over the net which is cool, but I would like something even more intense. Any suggestions?
2. In a sandbox environment, go to sites with known malware and see how hard it is to get some applets or activex bits installed. Anyone know if there is an up-to-date list of sites with known Malware?
3. General standards based testing sites such as acid3? Any ideas?
Thanks guys for any pointers.
December 19, 2009 at 6:30 am #28203KetchupParticipant
December 19, 2009 at 5:46 pm #28204KevParticipant
As Ketchup mentioned, you really need to get your hands on the browser and preferably the source code, though having the source code isn’t always critical. Depending on the size of the program, we can sometimes produce some exploits just by fuzzing. Going to an exploit site and just blindly blasting them at a program that was privately written is more than likely going to fail. In theory you could get lucky depending on how much code might have been “borrowed”, but the odds are very much against it.
December 22, 2009 at 7:13 pm #28205kitchensyncParticipant
Thanks for the responses. We will have access to the source code for sure… and I totally agree it is a great place to start, which we will.
I do think it is important to show the client how it reacts to some known browser vulnerabilities (webkit based). Any feedback on where a list like that exists? (been searching around and have found very little). Or if not the site, perhaps a location where some common js malware is found..
Thanks again for your responses.
You must be logged in to reply to this topic.