Fuzz-testing XML-parser

Question

I want to fuzz-test a XML-parser and wonder if there are some appropriate fuzzers.
It would be nice not only generate random garbage, but take advantages of existing schema specification like XSD or DTD.

Answer 1

Following are some XML fuzzers that I chanced upon, during a search several months back:

• untidy. This is does not appear to be in active development, with the last update in 2007. (Project no longer available on Sourceforge, for posterity see archive.org for partial content, and packetstorm for download. It was added to Peach-1.0, but no longer appears in the Peach-3.1 Community Edition source at all).
• Fuzzware. Appears to have decent support for XSD based fuzzing.
• Peach. The Peach fuzzer project will aid in you in generating valid XML files, but will probably not be of much help if you want to fuzz the parser instead of the application using the parser. It is certainly worth a try, but be forewarned that creating a data model can be a cumbersome process if you are not aware of the various structures in XML. The related project HotFuzz is also worth mentioning here.
• JBroFuzz. This is quite actively developed. I couldn't find any tutorial describing it's XML (and SOAP) fuzzing capabilities. You might be helped by the fact that it can be used as a fuzzing library alone.
• Codenomicon Defensics for XML. This is a commercial fuzzer. Disclaimer: I have evaluated Defensics in the past, and have found it suitable for various purposes. The XML parser alone can be fuzzed using various techniques - you may feed it files generated by the fuzzer, or issue HTTP requests etc. Do keep in mind that different approaches will have to be used if you need to fuzz your application instead of the parser; Defensics will aid in selecting the various classes of inputs that you want in the fuzz inputs, so that you can target your parser, or your application or both.

Answer 2

This might be what you consider "garbage generator", but I'll ask you to check it out anyhow.

Radamsa from Oulu University Secure Programming Group is free general purpose fuzzer. You can get fuzzing with it really easily. Give it some example files and Radamsa generates fuzzed files for you.

The different fuzzers included can do from simple bit flips to complex learning of the structure and fuzzing it.

The code can be found from Google Code.