Fuzz testing is a type of software testing that exposes software to unexpected inputs and actions to find bugs. You may also hear this practice referred to as “fuzzing” or “fuzzing testing.” Fuzz testing works by supplying inputs that are slightly mutated or semi-valid, and then monitoring the program’s response. The tester identifies areas of the program that cannot detect invalid inputs, or where the software fails in some other way. These tests may be done manually or with automated tools depending on your needs and circumstances. You can use fuzz testing for many different types of programs, including user interfaces, websites, databases, and APIs as well as various file formats such
Manual Fuzz Testing #
When you manually fuzz test, you supply random or unexpected inputs to the software under test. In many cases, you might use expected invalid inputs. The trick to successful manual fuzz testing is creating a test plan that guides your random inputs in a meaningful way that exposes potential bugs. For example, if you were fuzz testing a URL shortening service, you might create a test plan with three steps to create a test case. The first step might be to try to shorten URLs that are too long for the service to handle. The second step might be to supply random characters in the URL to see if the service fails to recognise valid URLs. The final step would be to supply input that the service cannot handle at all.
Automated Fuzz Testing #
Automated fuzz testing uses a wide variety of techniques to inject random data into your application. It verifies that the application will not crash or produce incorrect results when it is given invalid data. Because you are supplying random data, you will have a higher chance of discovering bugs in your software than you would with a manual fuzz test. While you can perform manual fuzztests with a wide variety of input types, automated fuzztesting only works with specific types of inputs. You must also set up your automated fuzz testing software to know what inputs to inject and where to inject them. Automated fuzz testing tools can test a wide variety of software, including applications, websites, APIs, and file formats. Some tools can even fuzz other types of systems, such as databases.
Types of Fuzz Tests #
Boundary Value Test – A boundary value test will enter values that fall on the edge between valid and invalid inputs. For example, if you were fuzz-testing an email address, you might try entering emails with weird symbols at the end of the address or with a missing @ symbol.
Data Corruption Test – A data corruption test injects random characters or data into your program’s input to see how it responds. If you were fuzztesting a program that reads and saves files, you could inject random data into the file to see if the program produces incorrect results or fails in some other way.
Expected Error Test – An expected error test will enter inputs that are clearly invalid. For example, if you were fuzz testing a program that validates U.S. Social Security numbers, you could enter a number with a missing digit to see if the program identifies the issue and fails.
Expected Bad Data Test – An expected bad data test injects data that your program recognises as incorrect. For example, if you were fuzztesting a file format, you could supply a corrupted file to see if the software properly identifies and fails the input.
Expected Bad Format Test – An expected bad format test injects data that does not fit the proper format for the software. For example, if you were fuzztesting a file reader, you could try to change the file format to something that the software does not support.
When to Use Fuzz Testing #
Fuzz testing is great for finding bugs in all types of software, but it is particularly helpful for programs that accept a lot of user input. Some examples include websites, file readers, and file formats. Fuzztesting does not give you a pass/fail grade for your software, but it can help you identify problematic areas that need fixing. You should also use fuzztesting if you want to find bugs across different systems or operating systems.
Limitations of Fuzz Testing #
Fuzz testing is not a silver bullet. It is a powerful tool, but like all tools, it has its limitations. Fuzz testing is not good at finding bugs caused by logic issues. For example, fuzztesting will not catch a bug where you mislabel an input field or make a logical error in your program. Fuzztesting also does not work well with heavily structured data. This might include data in a database, with a lot of fields or tables, or data that relies on a specific order. Fuzztesting can sometimes work with this type of data, but it requires you to manually inject individual inputs.
Conclusion #
Fuzz testing is a powerful software testing technique that helps you identify bugs in your software by supplying unexpected or invalid inputs. You can manually or automatically fuzztest your software using a wide variety of input types, including valid and invalid data, random characters, and unexpected file formats. Fuzztesting is helpful for all types of software, but it is particularly helpful for programs that accept a lot of user input.