Fuzz Testing / Fuzzing as a Software Testing technique

Fuzzing or Fuzz testing is a method of testing applications by randomly altering or corrupting input data. The idea behind fuzz testing is to hit the application under test (AUT), with random corrupt (bad) data and observe how the system behaves. Fuzz testing can be done both manually and using automation. Automated fuzz tests tend to be more effective in unearthing issues based on the variety and range of data that may be supplied to the application. These automated fuzz tests may be used to send a regular barrage of garbage to the AUT. The emphasis on fuzz testing has increased due to the significance of security testing and tools available. Tests that are developed using reasoning and logic by human testers, would not usually find issues that a Fuzz test may reveal.

Fuzz testing is a simple technique but it can show important defects that need addressing. Corrupt data can cause applications to crash or behave unexpectedly. In the earlier days on some of the older operating systems, it was possible for application crashes due to corrupt data to bring down the computer system itself. The defects that are identified via fuzzing could be potential security holes if left unaddressed. The outline of steps to perform fuzz testing is listed below.

1. Gather the correct set of input data for your application
2. Change some or all parts of the input data with random or corrupt data
3. Pass this modified input data to your application and observe what happens

Fuzz testing may be performed manually to begin with, but for greater effectiveness, automated fuzzing is recommended. Fuzz testing requires a good deal of creative thinking. The steps listed above may seem simplistic, however once the initial defects are reported, developers will harden the application and introduce greater checks and verifications before accepting inputs. After this point, it can be harder (not impossible) to identify more defects. This is when testers need to exercise a greater degree of creativity to work-around these counter measures to break software. It is important to think like the hacker who will be looking to break the system.

Fuzz testing can quickly show up some of the "assumptions" that developers make. For example, when data is passed in as input, if a parameter is expected to accept a specific range of numbers, the program should be checking the input data to ensure that it matches with what is expected and not assume that the data is correct. Also, while working with files that have been created by the application under test, the application must verify the integrity and validity of the file before reading it again. Assuming that the files it created are valid is a potential security hole since an attacker can take advantage of this lapse and modify the file.

Fuzz testing is not a replacement for other more formal testing. When an application passes a fuzz test, it basically shows that the software can handle exceptions and incorrect inputs in a safe and sane manner. Fuzz testing is used to find defects and test an application's error-handling capabilities. Greater success with fuzz testing requires a detailed understanding of the application and related technologies being tested. If we are testing a protocol implementation or a specification, it helps to really know the protocol or specification. This knowledge can be used to come up with strategies to fuzz test in a way that can expose holes in the product. Fuzz testing demonstrates the existence of bugs and not the absence of it.