The Leyman's Guide to Fuzzing

Fuzzing can (among other things) be used to expose software bugs, test browser security, and perform static program analysis. However, as the types of fuzzers continue to expand, so do their use cases.

First Published 1st December 2022

The Leymans Guide to Fuzzing

'Fuzzy' - the animate Gucci loafer - was having none of it.

4 min read  |  Reflare Research Team

To fuzz or not to fuzz

These days it is almost impossible to read about software vulnerabilities without coming across the term ‘fuzzing”. Software fuzzing, also known as fuzz testing or fuzzing, is a form of software testing that focuses on finding software bugs or security vulnerabilities. It works by providing invalid or random data to a program and then observing the behaviour of the program. Fuzzing is an automated testing technique that helps identify weaknesses in software that may lead to security vulnerabilities.

The goal of fuzzing is to uncover bugs or security flaws in software that may otherwise go unnoticed. It is a powerful tool to help developers and security professionals find security-critical bugs that can be exploited by malicious actors. It is often used to find vulnerabilities in web applications, operating systems, network protocols, and more.

A not-so-fuzzy concept

Fuzzing works by providing invalid or random data to a program and then observing the behaviour of the program. This data is typically generated automatically by a fuzzing engine, which can be either open-source or proprietary. The fuzzing engine can generate data in many different ways, such as generating random numbers, strings, and other data. It can also use existing data sets to generate new data.

Once the fuzzing engine has generated the data, it is then fed into the program being tested. The program is then monitored for unexpected behaviour or crashes. Any unexpected behaviour or crashes can indicate bugs or security flaws that need to be addressed.

Mutation-based Fuzzers

This type of fuzzer takes existing data and modifies it in a predetermined way to create test cases. It is the most common type of fuzzer and works well for data that consists of simple blocks of data. Mutations might include changing values, removing bytes, or adding bytes.

Generation-based Fuzzers

This type of fuzzer creates new data from scratch, using algorithms or rules to create meaningful test cases. These fuzzers are better suited for data that has to be generated from scratch, such as images or audio.

Protocol-based Fuzzers

This type of fuzzer is used to test protocols. It sends requests to the application based on specifications and checks the responses. It can be used to detect various vulnerabilities such as buffer overflows or SQL injection.

State-based Fuzzers

This type of fuzzer is used to test applications that have a state. It simulates user interactions, such as navigating through menus, so it can detect errors or vulnerabilities.

Model-based Fuzzers

This type of fuzzer uses models to construct test cases. These models can be based on the application structure, or they can be based on known attack patterns.

Coverage-based Fuzzers

This type of fuzzer is used to test for code coverage. It runs the application with different inputs and records the areas of code that were executed. It can be used to detect areas of the application that are not being tested.

Grammar-based Fuzzers

This type of fuzzer uses grammar to generate test cases. It is used to test applications that accept structured inputs, such as XML or JSON.

Should not be a stand-alone solution

Fuzzing can also be used in conjunction with other testing techniques, such as static analysis and dynamic analysis. Static analysis involves analysing the source code of a program for potential bugs or security flaws. Dynamic analysis involves monitoring the program as it executes and observing its behaviour. Combining fuzzing with these other testing techniques can provide a more comprehensive picture of the vulnerabilities or bugs in a program.

Overall, fuzzing is an important tool for developers and security professionals to use when testing software. It can help uncover potential bugs and security flaws that may otherwise go unnoticed. When combined with other testing techniques, fuzzing can be an effective way to ensure software is secure and reliable.

Yes please... tell me more!

If you are interested to learn more specifics about fuzzing, the following are some of the popular open-source fuzzers:

AFL (American Fuzzy Lop)

AFL is a popular open-source fuzzer created by Michal Zalewski. It is an evolutionary fuzzing tool which uses genetic algorithms to mutate test cases and identify new input that can trigger new code paths and bugs.

Peach Fuzzer

Peach Fuzzer is an open-source fuzzer that supports both generation and mutation-based fuzzing. It is a platform-independent fuzzing tool that can be used to test both applications and protocols.

SPIKE Fuzzer

SPIKE Fuzzer is an open-source fuzzer developed by Immunity Security. It is a protocol-oriented fuzzer that can be used to fuzz network applications. SPIKE Fuzzer is capable of running on Windows and Linux platforms.


BooFuzz is a fork of Sulley Fuzzer, an open-source fuzzer developed by Pedram Amini. It is a protocol-oriented fuzzer that can be used to fuzz any type of network protocol and is capable of automatically generating test cases.


JSFuzz is an open-source coverage-guided fuzzer for testing javascript and nodejs packages. Its logic is heavily based on go-fuzz developed by Dmitry Vyukov, which itself is based on Michal Zalewski AFL.

Now go forth and get yourself that fuzzy feeling

The list above is by no means exhaustive, and there are always plenty of new fuzzers being launched. However, the above is a good starting point for learning about the different types of fuzzers and how they can help you increase your security.

Stay up-to-speed on the very latest trends and analysis in cybersecurity trends with a free subscription to Reflare's biweekly research newsletter. You can also explore some of our related articles to learn more.

Subscribe by email