Security contributors and researchers use a lot of different fuzzing approaches on Firefox.
Tips for fuzzing on Firefox.
A–> Nightly Tests
If you want bugs identified earlier, mind that the nightly builds directly correspond to the central Mozillaâ€™s HG repository, as well as always contain the latest features prepared for release. These offer the great opportunity for testing changes much earlier.
It is not that efficient to run Firefox under the debugger for fuzzing. You can instead try the mini-dumps Firefoxâ€™s crash reporter provides. By means of the mini-dump_stackwalk tool, itâ€™s possible to obtain the stack trace from a dump for further triage. An advantage of such an approach is its working on all the supported platforms.
Builds of regular release are not good for fuzzing since they lack some significant features debug builds have. Debug builds, for instance, have a range of enabled memory invalidation routines. Another good thing in debug builds is assertions. While all the assertion failures report bugs, some assertion types are especially capable of indicating security holes.
By using multiple profiles you may in parallel run multiple Firefox instances on one host. You may specify your profile name in the command line. Mind that the prefs.js file provided with ADBFuzz also contains some significant options to be added directly into the prefs.js file of the fuzzing profile youâ€™re using.
Communication between the outside harness and the running in-browser component is especially important when testing browsers. When the fuzzer running inside a browser has just an outside harness whichâ€™s monitoring it, communication from fuzzer to harness is mostly helpful for logging all actions taken by the fuzzer so that they are more easily reproduced.
F–> Using Add-on Debug Functions
Certain functions accessible in privileged context are very powerful only for automated testing. Among such examples are the garbage collectorâ€™s calling, zealous garbage collection ability, Firefox quitting, or the cycle collector invoking. Thereâ€™s a publically available add-on for this.