3.1. one fuzzing template revealed over 100 IE UAF¶

这篇文章出自black hat Europe 2014的一篇讲稿

作者提出

– Engineers are not good at repairing
– Engineers make mistakes taking things apart (undoing)
– Engineers made mistakes putting things back together (redoing)

从这里就延伸出去想到工程师可能会犯错的地方，然后fuzzer就从下面这些地方的思路开始构造

Explicit Pairings
– Direct: ‘on/off’, ‘true/false’, properties. - e.g.
display="block"/"none"

appendChild/removeChild

addEventListener : focusin/focusout
Implicit Pairings
- Indirect: inheritance, nullity, state change.
- e.g.
  Content: innerText=''/ document.write('')
  
  Relation: swap parent/child node
  
  Status: window.navigate('') / location.reload()
Hybrid Pairings
- Complexity of mixing explicit and implicit.
- Script (Dynamic) + HTML (Static)
  <body contentEditable='true'>
  
  Document.body.contentEditable='false';
- Property + Method
Pairing Combinations
– Multiple pairings per page.