The modern vehicle comes equipped with a variety of software systems. Especially features that connect it to the outside world, such as online updates, fleet management and communication between vehicles, offer attack surface. The security of automotive software is crucial, not only because bug-induced call-backs are costly, but also because the well-being of passengers depends on it.
Cross-site scripting has been at the top of the OWASP Top 10 for nearly a decade. In this article, we'll explore everything you need to know about XSS, the associated risks, and countermeasures you can take.
Today I want to show you a way to simplify fuzz testing for your C++ applications. If you read this article to the end, you will learn about an automated testing approach that can protect your applications against all sorts of memory corruptions and other security vulnerabilities.
19.10.2022 - As part of our goal to continuously improve our vulnerability detectors, we continuously test various open-source projects with Jazzer within OSS-Fuzz. In this case, a test run yielded a severe finding with a potential remote code execution in a HSQLDB (CVE-2022-41853).
Securing REST APIs is particularly difficult since they are highly interconnected and not designed for manual access. To save time and be more efficient, many developers rely on testing solutions that can automatically detect REST API endpoints and test parameter properties within them. In this article, I want to provide an overview of the 6 biggest challenges of REST API security testing and how test automation can help resolve them.
Remember Log4j? Arbitrary code execution bugs are more common than you think, even in memory-safe languages, like Java. Learn how to find these vulnerabilities with fuzzing. Arbitrary code execution vulnerabilities represent one of the most dangerous classes of vulnerabilities in Java applications. Incidents such as Log4Shell clearly demonstrate the impact of these security issues, even in memory-safe languages. They also show that fuzzing can be very effective in finding these vulnerabilities.
In theory, modern web frameworks provide secure ways of accessing databases, making SQL injections a non-issue. The reality looks much different. Among other injection vulnerabilities, SQL injections are still atop the OWASP Top 10, and organizations still frequently fall victim. Therefore there is no way around software security testing solutions that can reliably detect SQL injections.
TL;DR Fuzzing JavaScript is easy now In this post, we introduce you to our new open-source fuzzer for the JavaScript ecosystem, Jazzer.js. Jazzer.js is a coverage-guided, in-process fuzzer for the Node.js platform. It’s based on the experience we gathered developing its namesake Jazzer, our fuzzer for the JVM platform. Internally, Jazzer.js uses libFuzzer as a solid industry-standard engine and brings many of its instrumentation-powered mutation features to JavaScript.
Golang was the first programming language to support fuzzing as a first-class experience in version 1.18. This made it really easy for developers to write fuzz tests. Golang 1.14 introduced native compiler instrumentation for libFuzzer, which enables the use of libFuzzer to fuzz Go code. libFuzzer is one of the most advanced and widely used fuzzing engines and provides the most effective method for Golang Fuzzing.
