cross_fuzz: A Cross-Document DOM Binding Fuzzer!

Mr. Michal Zalewski – cross_fuzz. cross_fuzz is an amazingly effective cross-document DOM binding fuzzer, that helped Mr. Zalewski find a lot of cross browser vulnerabilities. We have been reading about the ‘existence‘ of such a tool from his blog, but only now can we see it for our selves.

A main reason behind releasing this tool to the public is that it will most possibly help fine tune this fuzzer and remove any errors that are currently affecting it. The author also has reasons to believe that because of an information leak prior to the public release of this fuzzer, certain unwanted entities might have gained access to a yet unknown vulnerability in the Microsoft Internet Explorer. The author has confirmed the same based on two search queries are looking for information on MSHTML.DLL functions – BreakAASpecial and BreakCircularMemoryReferences – that are unique to the stack signature of this vulnerability.


Back to the fuzzer – cross_fuzz dynamically generates extremely long interconnected sequences of DOM operations across multiple documents, inspects returned objects, recurses into them, and creates circular node references that stress-test garbage collection algorithms. It can also be easily extended to fuzz any DOM-enabled documents or browser plugins simply by providing new target documents.But, because of the design of the fuzzer, it is difficult to get clean, deterministic outputs. You just need to know how it presents itself!

Give cross_fuzz a trial or download it from here.