Recent Posts


Fuzzing PHP


Frustrated by Magento? Then you’ll love Commerce Bug, the must have debugging extension for anyone using Magento. Whether you’re just starting out or you’re a seasoned pro, Commerce Bug will save you and your team hours everyday. Grab a copy and start working with Magento instead of against it.

Updated for Magento 2! No Frills Magento Layout is the only Magento front end book you'll ever need. Get your copy today!

Fuzzers are a category of security testing software that will throw all sorts of random data at a software system looking for flaws that can then be exploited by individual penetration testers. Sort of like throwing a bunch of paint around the room trying to find the invisible man. I found this talk about a PHP Internals Fuzzer from Emmanuel Law compelling for a number of reasons.

It’s not a beginer’s talk — you’ll need to connect a lot of dots if you’re new to the topic (or I should say, I had to connect a lot of dots since I was new to the topic) but so little is written about this sort of thing that any information feels like gold in your pan. It’s also interesting to see how someone super acomplished in penetration testing approaching a specific programming languge they’re not an expert in.

While the fuzzer Emmanuel created (Phzzer) doesn’t seem to be avaible online, he outlines the general approach he took to finding a bunch of explits in early versions of PHP 7, and also namechecks a few other fuzzers (Minerva, LangFuzz, and Malamute) that seem worth checking out.

Copyright © Alan Storm 1975 – 2022 All Rights Reserved

Originally Posted: 5th September 2018