Skip to content

Fuzz testing#
Original author Sara Jokela
Last checked by
Status Done. Additions and changes are possible.
Last updated 20.5.2025

What is fuzz testing?#

Fuzz testing (or fuzzing) is an automated and dynamic testing method. Fuzzing is usually associated with security testing, but it can be used for other types of software testing as well. To put it simply, fuzzing means feeding the test target faulty input data and monitoring how it reacts. Any target that handles inputs can be fuzzed (eg. different interfaces, forms, URLs, desktop/web applications). Fuzzing can reveal bugs, vulnerabilities and other kinds of issues. Some examples of those problems are memory errors/leaks and race conditions.

Fuzzers#

Fuzzers for different targets#

It should be noted that there are numerous ways to categorize fuzzers, and this document introduces only some of them.

Fuzzers are the tools used for fuzz testing. There are multiple different types of fuzzers that testers can choose from. However, not all fuzzers can test every target. Some fuzzers are developed to test only certain targets, such as cloud environments or web applications.

  • FFuf and Wfuzz are web application fuzzers
  • SPIKE can be used for network protocol fuzzing

Other fuzzers are so-called general purpose fuzzers that can fuzz many different kinds of targets.

  • Honggfuzz and AFL are general purpose fuzzers

How fuzzers create the test data?#

Different fuzzers generate the input data in different ways. Based on this, fuzzers can be divided into mutation-based and generation-based fuzzers.

Mutation-based fuzzers utilize some existing, valid data that the target might expect. They mutate the data by bit flipping, changing, deleting, adding or otherwise altering bits, bytes or other data blocks.

Mutation is also used by coverage-guided fuzzers. These fuzzers monitor the changes in code coverage. An input is mutated and fed to the target. If this input increases code coverage, it will be mutated further and used again. If not, the input is discarded. This approach results in better code coverage. It may also help to find more vulnerabilities.

Generation-based fuzzers generate entirely new input data. The data can be generated completely randomly or based on some kind of template or model.

There are also fuzzers that do not generate or mutate input data themselves, but rely on wordlists. Testers can create their own wordlists for more targetet approach, or use the ones found on internet (such as SecLists).

Knowledge of target's structure or input's structure#

Fuzzers can be divided to black box and white box fuzzers based on how much is known about target's internal structure and behaviour. Black box and white box testing is covered in Introduction to Testing. Black box fuzzers can be more effective than white box fuzzers. They might be a better choice for large or slow targets, or when the input format is complicated. On the other hand, white box fuzzers might lead to higher code coverage and better testing results.

Similarly, fuzzers can be categorized into "dumb" and "smart" fuzzers. This depends on whether the fuzzer is aware of the input's structure or not. "Dumb" fuzzers do not know, what kind of data the target expects. They generate the input data randomly, which can lead to low code coverage. However, they generally do not require too much effort to use. "Smart" fuzzers have at least some knowledge of input's structure, which means that they usually have higher code coverage and can reveal more vulnerabilities. It's worth noting that "smart" fuzzers are not automatically better than "dumb" fuzzers.

How fuzzers work?#

Fuzzing campaign might require more or less preparations, depending on the fuzzer. Some fuzzers (eg. Honggfuzz, AFL) require that the target is compiled before testing can begin. Fuzzers might also provide different ways to instrument the target. This is the case at least with coverage-guided fuzzers. Other fuzzers (eg. aforementioned Ffuf and Wfuzz) can fuzz the target as is. After this, the inputs are prepared. Input creation was discussed earlier. When everything is ready, fuzz testing can be started. Fuzzer feeds the inputs to target and monitors it. Any unexpected behaviour is recorded. This can mean crashes, hangs or other odd behaviour. Since there might be countless of inputs, it is not reasonable to wait for fuzzer to go through all of them. When it seems like the fuzzer cannot find any new paths in code for a while, it is a good idea to stop the fuzzer. Many fuzzers record all of the unexpected results and save also the inputs that lead to them. This makes it easier to repeat the input that broke the target. It also makes identifying and fixing bugs easier.

Fuzzers are considered to be an effective tool for testing; they are usually automated, so it releases some resources for tester. Fuzzing also helps to find bugs and weaknesses that other testing methods might miss. However, fuzzing can be taxing for device's hardware (memory, CPU).

Reading material#

Fuzzing: Hack, Art, and Science

What is Fuzzing? Fuzz Testing Explained

What is fuzz testing?

Study and Comparison of General Purpose Fuzzers

Focus on Fuzzing: A Closer Look at Coverage-Guided Fuzzing

What is Fuzzing: Types, Advantages & Disadvantages

Coverage guided vs blackbox fuzzing