Hold Your Horses

Before we start building a fuzzer, we must understand what a fuzzer is, or at least understand what a fuzzer should include, and why we can't just send in random data. This is also sometimes referred to as the 1/2^32 problem where in some cases, changing something at random is as good as playing the lottery.

Most people hear the word fuzzing or fuzzer and immediately imagine something that is obscure, uncertain, or even random. If we look up the phrase "Fuzz testing" in Wikipedia, we see that at least one of the methods of doing fuzz testing is "Simple fuzz usually uses a pseudo random number generator to provide input" (http://en.wikipedia.org/w/index.php?title=Fuzz_testing). Although this approach can yield results, it is uncommon for a random input to cause problems in complicated products.

This is because the probability of someone finding the right bit of data, which will cause a problem in a product that is complicated enough (for example, require authentication or some sort of session handling), is almost impossible or at least improbable.

In theory, we could start sending the product we are interested in testing one byte, and change its value through so that it goes through the value of 0x00 up to the value of 0xFF. Then move to send two bytes of data, and change their value so they pass through 0x0000 up to 0xFFFF. This type of testing, sometimes referred to as a sequential tester, will conduct the best fuzz testing...