Fuzz Testing

How to automatically find bugs and issues before your customers or hackers do.

In early 2014, security researchers from Google and Finnish Codenomicon independently discovered a bug in OpenSSL that would be known as Heartbleed. It has been referred to as one of the worst vulnerabilities ever found, affecting up to 17% of all secure websites at the point of discovery. Finnish Codenomicon was able to find the issue using fuzz testing, and you can do employ the same technology to secure your software.

Fuzzing is an automated software testing technique designed to automatically find bugs and security issues in software. In its simplest form, a fuzzer is a program that generates random inputs until it finds something that will crash the software being tested. Fuzz testing was first developed Professor Barton Miller and his Students in 1989, and his continued research has shown that even the simplest forms of fuzz testing remain relevant.

Simple fuzzers like the ones developed by Barton Miller are often referred to as “Black Box” fuzzers. They have no knowledge about the inner workings of the programs, and only generate inputs and check to see if the program crashed. The main advantage with this approach is that it can test almost any program with minimal effort - the disadvantage is that randomly generating the input that triggers a bug can take a prohibitive amount of time when you only want to test one piece of software.

“Smarter”, more modern fuzzers analyse some parts of the target program in order to more effectively search the input space for bugs.
Their inputs are often semi-random, and use metrics such as code coverage from the program being tested to modify the next set of inputs.
This is referred to as “Grey Box Fuzzing”, since it relies on being able to gather some information on the program being tested. Compared to black box fuzzers, they are able to find bugs that are more hidden and harder to trigger. One popular fuzzer using this technique is American Fuzzy Lop, which has been used to find bugs and security vulnerabilities in for example OpenSSL, OpenSSH, Android, iOS and Linux.

While a fuzzer will identify a bug for you and give you the input that caused a crash, it does not automatically debug the issue for you. Often times, a fuzzer will find multiple inputs that trigger the same bug. Identifying the issue, understanding it’s potential impact and fixing it will still take manual effort and engineering resources. It’s also important to note that while Fuzz testing is automatic, it is a complement and not a replacement to other testing techniques. A fuzzer can not determine if a program behaves as it should, as it is typically only able to identify more serious failures that result in crashes. High degree of test coverage with unit tests and integration tests will always be vital.

Employing fuzzy testing as part of an automatic testing pipeline is a great way to secure your application, and find bugs and issues before the bad guys do.




Mpya Digital is an IT consultancy in Stockholm, Sweden. It is an organization made by — and continuously improved by — the people in it.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Introducing peaq ID | Self-Sovereign Identity for Machines

Introducing peaq ID

What do I need to do for GDPR?


DSAR probing ‘attack’ from Princeton researchers

New York Steps up its Cyber Game

Protect Patient Information During Telehealth Visits by Addressing 7 Issues

The Sixth Official MCF Token Burn

Vulnerability Capstone Walk-through

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mpya Digital

Mpya Digital

Mpya Digital is an IT consultancy in Stockholm, Sweden. It is an organization made by — and continuously improved by — the people in it.

More from Medium

Selenium shorts- Common exceptions and solutions

Bringing solutions

Scaling Systems: Horizontal v/s Vertical