What is a Fuzzer?

During our last project meeting, we end up discussing Application protocol Fuzzing tests. It seemed that employer and contractor had different definition for these tests.

So, i went down a google trip, for my own clarity sake. My simple understanding of fuzzer is presented here for all readers.

A fuzzer is an application used to discover security vulnerabilities by sending random input (purposefully generated) to an application/service (software or hardware device like a router). If the target application contains a vulnerability that can leads to an exception, crash or server error (e.g. web server, application server), can be discovered. Fuzzers are also termed as fault Injectors for this reason.

It is important to note that fuzzers are good at finding buffer overflow, DoS, SQL Injection, XSS, and Format String bugs. They are not meant to disclose vulnerabilites related to information disclosure, encryption flaws and any other vulnerability that does not cause the application/service to crash or generate errors.

SQL injection is an attack technique used to exploit web sites by altering backend SQL statements through manipulating application input. SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters.