Fuzz Testing
Also Known As
fuzzing
AFL
libFuzzer
random testing
TL;DR
Automatically generating random, unexpected, or malformed inputs to find crashes, assertion failures, and security vulnerabilities that manual test cases miss.
Explanation
Fuzzing sends unexpected input: very long strings, null bytes, Unicode edge cases, negative numbers where positive is expected, malformed JSON, and boundary-crossing values. Coverage-guided fuzzers (American Fuzzy Lop, libFuzzer) track which code paths are covered and generate inputs to explore uncovered paths. For PHP: Paraunit, php-fuzzer, or manual property-based testing with Eris. Fuzzing is essential for parsers, decoders, file processors, and any code accepting external input. It finds bugs that would take years of production traffic to surface naturally.
Common Misconception
✗ Fuzzing is only for security research on low-level C code — PHP applications parsing user-controlled input (XML, JSON, file uploads, URL parameters) benefit from fuzzing for both bugs and security vulnerabilities.
Why It Matters
Production traffic eventually sends every possible malformed input — fuzzing finds the crashes and security issues before attackers do, at a fraction of the incident cost.
Common Mistakes
- Not running fuzz testing long enough — many bugs only appear after millions of iterations.
- Fuzzing without a corpus of valid inputs — fuzzers starting from valid inputs find more coverage faster.
- Not capturing minimised repro cases — fuzzers should shrink failing inputs to the minimal reproducing case.
- Fuzzing only the happy path inputs — the value of fuzzing is in the unexpected and malformed.
Code Examples
✗ Vulnerable
// Parser with no fuzz testing — crashes in production:
function parseCustomFormat(string $input): array {
// Assumes: well-formed input, ASCII only, max 1000 chars
// Production receives: 50KB Unicode string with null bytes
// Result: Fatal error, memory exhaustion, or security bypass
$parts = explode(':', $input);
return ['key' => $parts[0], 'value' => $parts[1]]; // Undefined offset!
}
✓ Fixed
// Property-based fuzzing with Eris:
use Eris\Generator;
public function testParserHandlesArbitraryInput(): void {
$this->forAll(
Generator\string() // Random strings of any content
)->then(function(string $input) {
// Should never throw or crash:
$result = parseCustomFormat($input);
$this->assertIsArray($result); // Must always return array
});
}
// Runs hundreds of random inputs, shrinks failures to minimal caseReferences
Tags
🤝 Adopt this term
£79/year · your link shown here
Added
16 Mar 2026
Edited
22 Mar 2026
Views
24
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6
Perplexity 6
Ahrefs 2
Google 2
Unknown AI 2
Majestic 1
SEMrush 1
Also referenced
How they use it
crawler 19
crawler_json 1
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: High
⚡ Quick Fix
Point a fuzzer at your PHP input parsers and file upload handlers — they process untrusted input and are exactly where fuzzing finds crashes and security bugs
📦 Applies To
PHP 7.0+
web
cli
🔍 Detection Hints
Input parsing functions not fuzz tested; file format handlers; protocol implementations; no chaos or adversarial testing of external input handlers
Auto-detectable:
✓ Yes
php-fuzzer
afl
libfuzzer
atheris
⚠ Related Problems
🤖 AI Agent
Confidence: Low
False Positives: Medium
✗ Manual fix
Fix: High
Context: File
Tests: Update