Whenever I’m testing any of my programs that allow users to input data, I usually try to remember to enter invalid values to ensure that the program does not function when such values are put into the system. Then, in one of my lectures, we briefly covered fuzz testing, which does this process for you! So, I wanted to know more about it and why it is very important to include as part of testing. I found this information from the following tutorial: https://www.guru99.com/fuzz-testing.html.
Fuzz testing, or fuzzing, is used in the context of security testing, where loopholes or vulnerabilities are exposed. It can be a form of black-box testing, so that even without source code, the tester can still determine faults that come up.
The steps that fuzz testing takes to perform are as follows:
- Identify inputs taken by the system to be tested
- Generate random input or data
- Executing tests using this data
- Monitoring behavior of the system and its accompanying tests
There are multiple ways that fuzzed data can be created for use, including the 3 listed:
- Mutation-based fuzzing – alters already-provided, valid data samples to create new test data
- Generation-based fuzzing – creates new input data based on the type of input needed for the system
- Protocol-based fuzzing – based on the protocol format specified by the program, invalid data or packets are sent to the program being tested
Through fuzz testing, several different kinds of bugs can be uncovered, which go beyond simply finding invalid input. Some bugs may severely affect the security of an application, like causing memory leaks. Other bugs, called correctness bugs, may come up, which are errors in the overall function of the program. Because it can become time-consuming to come up with many fuzzing inputs, there are various tools that automate and speed up this process.
Fuzz testing provides crucial advantages. It can expose serious security threats and holes in the program which may not have already been covered. If there are other, possibly less significant bugs in the program that may have been overlooked, fuzz testing is a great way to find these as well. However, while fuzz testing is incredibly useful, it cannot be used alone. Rather, it can be a supplement for other testing strategies that may be used to enhance security testing or discover other bugs. Fuzz testing only really looks for simple errors that may arise from invalid input, but there can easily be other, more complex bugs in the program as well.
This post concludes my blogging for the fall semester! Thanks for reading, and I’ll be back next semester!