Fuzz Testing
What is Fuzz Testing?
Fuzz TestingAn automated testing technique that feeds a program large amounts of malformed, random or unexpected input to uncover crashes, memory corruption and security vulnerabilities.
Fuzz testing (or fuzzing) bombards a target — a function, parser, network protocol or whole application — with mutated or generated inputs while monitoring for crashes, hangs, assertion failures or sanitizer reports. The goal is to find inputs that violate safety properties: out-of-bounds access, use-after-free, infinite loops, unhandled exceptions or logic errors. Modern fuzzers like AFL++, libFuzzer, Jazzer and Atheris use coverage feedback to evolve inputs that reach new code paths, making them highly effective on parsers, decoders and cryptographic code. Fuzzing is now a core part of SSDLCs at companies like Google (OSS-Fuzz) and Microsoft, and it has uncovered many high-impact CVEs.
● Examples
- 01
OSS-Fuzz running libFuzzer continuously against the OpenSSL parser to find memory corruption bugs.
- 02
Jazzer fuzzing a Java JSON parser to find DoS through deeply nested input.
● Frequently asked questions
What is Fuzz Testing?
An automated testing technique that feeds a program large amounts of malformed, random or unexpected input to uncover crashes, memory corruption and security vulnerabilities. It belongs to the Application Security category of cybersecurity.
What does Fuzz Testing mean?
An automated testing technique that feeds a program large amounts of malformed, random or unexpected input to uncover crashes, memory corruption and security vulnerabilities.
How do you defend against Fuzz Testing?
Defences for Fuzz Testing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Fuzz Testing?
Common alternative names include: Fuzzing.