{
    "slug": "fuzz_testing",
    "term": "Fuzz Testing",
    "category": "testing",
    "difficulty": "advanced",
    "short": "Automatically generating random, unexpected, or malformed inputs to find crashes, assertion failures, and security vulnerabilities that manual test cases miss.",
    "long": "Fuzzing sends unexpected input: very long strings, null bytes, Unicode edge cases, negative numbers where positive is expected, malformed JSON, and boundary-crossing values. Coverage-guided fuzzers (American Fuzzy Lop, libFuzzer) track which code paths are covered and generate inputs to explore uncovered paths. For PHP: Paraunit, php-fuzzer, or manual property-based testing with Eris. Fuzzing is essential for parsers, decoders, file processors, and any code accepting external input. It finds bugs that would take years of production traffic to surface naturally.",
    "aliases": [
        "fuzzing",
        "AFL",
        "libFuzzer",
        "random testing"
    ],
    "tags": [
        "testing",
        "security",
        "quality"
    ],
    "misconception": "Fuzzing is only for security research on low-level C code — PHP applications parsing user-controlled input (XML, JSON, file uploads, URL parameters) benefit from fuzzing for both bugs and security vulnerabilities.",
    "why_it_matters": "Production traffic eventually sends every possible malformed input — fuzzing finds the crashes and security issues before attackers do, at a fraction of the incident cost.",
    "common_mistakes": [
        "Not running fuzz testing long enough — many bugs only appear after millions of iterations.",
        "Fuzzing without a corpus of valid inputs — fuzzers starting from valid inputs find more coverage faster.",
        "Not capturing minimised repro cases — fuzzers should shrink failing inputs to the minimal reproducing case.",
        "Fuzzing only the happy path inputs — the value of fuzzing is in the unexpected and malformed."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "property_based_testing",
        "mutation_testing",
        "input_validation",
        "security_misconfiguration"
    ],
    "prerequisites": [
        "property_based_testing",
        "security_by_design",
        "input_validation"
    ],
    "refs": [
        "https://github.com/nikic/PHP-Fuzzer"
    ],
    "bad_code": "// Parser with no fuzz testing — crashes in production:\nfunction parseCustomFormat(string $input): array {\n    // Assumes: well-formed input, ASCII only, max 1000 chars\n    // Production receives: 50KB Unicode string with null bytes\n    // Result: Fatal error, memory exhaustion, or security bypass\n    $parts = explode(':', $input);\n    return ['key' => $parts[0], 'value' => $parts[1]]; // Undefined offset!\n}",
    "good_code": "// Property-based fuzzing with Eris:\nuse Eris\\Generator;\n\npublic function testParserHandlesArbitraryInput(): void {\n    $this->forAll(\n        Generator\\string()  // Random strings of any content\n    )->then(function(string $input) {\n        // Should never throw or crash:\n        $result = parseCustomFormat($input);\n        $this->assertIsArray($result); // Must always return array\n    });\n}\n// Runs hundreds of random inputs, shrinks failures to minimal case",
    "quick_fix": "Point a fuzzer at your PHP input parsers and file upload handlers — they process untrusted input and are exactly where fuzzing finds crashes and security bugs",
    "severity": "high",
    "effort": "high",
    "created": "2026-03-16",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/fuzz_testing",
        "html_url": "https://codeclaritylab.com/glossary/fuzz_testing",
        "json_url": "https://codeclaritylab.com/glossary/fuzz_testing.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Fuzz Testing](https://codeclaritylab.com/glossary/fuzz_testing) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/fuzz_testing"
            }
        }
    }
}