Fuzz testing (fuzzing) is a quality assurance technique used to discover coding errors and security loopholes in software, operating systems or networks. It involves inputting massive amounts of random data, called fuzz, to the test subject in an attempt to make it crash. If a vulnerability is found, a software tool called a fuzzer can be used to identify potential causes. Fuzz testing was originally developed by Barton Miller at the University of Wisconsin in 1989.
Fuzzers work best for discovering vulnerabilities that can be exploited by buffer overflow, DOS (denial of service), cross-site scripting and SQL injection. These schemes are often used by malicious hackers intent on wreaking the greatest possible amount of havoc in the least possible time. Fuzz testing is less effective for dealing with security threats that do not cause program crashes, such as spyware, some viruses, worms, Trojans and keyloggers.
Although fuzz testing is simple, it offers a high benefit-to-cost ratio and can often reveal serious defects that are overlooked when software is written and debugged. It cannot provide a complete picture of the overall security, quality or effectiveness of a program, however, and is most effective when used in conjunction with extensive black box testing, beta testing and other proven debugging methods.