I want to fuzz-test a XML-parser and wonder if there are some appropriate fuzzers. It would be nice not only generate random garbage, but take advantages of existing schema specification like XSD or DTD.

Following are some XML fuzzers that I chanced upon, during a search several months back: <ul> <li> <strike>untidy</strike>. This is does not appear to be in active development, with the last update in 2007. (Project no longer available on Sourceforge, for posterity see archive.org for partial content, and packetstorm for download. It was added to Peach-1.0, but no longer appears in the Peach-3.1 Community Edition source at all).</li> <li> Fuzzware. Appears to have decent support for XSD based fuzzing.</li> <li> Peach. The Peach fuzzer project will aid in you in generating valid XML files, but will probably not be of much help if you want to fuzz the parser instead of the application using the parser. It is certainly worth a try, but be forewarned that creating a data model can be a cumbersome process if you are not aware of the various structures in XML. The related project HotFuzz is also worth mentioning here.</li> <li> JBroFuzz. This is quite actively developed. I couldn't find any tutorial describing it's XML (and SOAP) fuzzing capabilities. You might be helped by the fact that it can be used as a fuzzing library alone.</li> <li> Codenomicon Defensics for XML. This is a commercial fuzzer. Disclaimer: I have evaluated Defensics in the past, and have found it suitable for various purposes. The XML parser alone can be fuzzed using various techniques - you may feed it files generated by the fuzzer, or issue HTTP requests etc. Do keep in mind that different approaches will have to be used if you need to fuzz your application instead of the parser; Defensics will aid in selecting the various classes of inputs that you want in the fuzz inputs, so that you can target your parser, or your application or both.</li> </ul>

Fuzz-testing XML-parser

I want to fuzz-test a XML-parser and wonder if there are some appropriate fuzzers.
It would be nice not only generate random garbage, but take advantages of existing schema specification like XSD or DTD.

What is a fuzz testing tool?

Fuzz testing or fuzzing is an automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities. A fuzzing tool injects these inputs into the system and then monitors for exceptions such as crashes or information leakage.

What is fuzz testing in API?

API fuzz testing is an automated testing method where random, invalid, distorted, or unexpected input is given to the API to see if any crashes or bugs emerge. The aim of fuzz testing is to identify unknown bugs and defects.

Is fuzzing black box testing?

Fuzzing (also called fuzz testing) is a type of black box testing that submits random, malformed data as inputs into software programs to determine if they will crash.

Following are some XML fuzzers that I chanced upon, during a search several months back:

~~untidy~~. This is does not appear to be in active development, with the last update in 2007. (Project no longer available on Sourceforge, for posterity see archive.org for partial content, and packetstorm for download. It was added to Peach-1.0, but no longer appears in the Peach-3.1 Community Edition source at all).
Fuzzware. Appears to have decent support for XSD based fuzzing.
Peach. The Peach fuzzer project will aid in you in generating valid XML files, but will probably not be of much help if you want to fuzz the parser instead of the application using the parser. It is certainly worth a try, but be forewarned that creating a data model can be a cumbersome process if you are not aware of the various structures in XML. The related project HotFuzz is also worth mentioning here.
JBroFuzz. This is quite actively developed. I couldn't find any tutorial describing it's XML (and SOAP) fuzzing capabilities. You might be helped by the fact that it can be used as a fuzzing library alone.
Codenomicon Defensics for XML. This is a commercial fuzzer. Disclaimer: I have evaluated Defensics in the past, and have found it suitable for various purposes. The XML parser alone can be fuzzed using various techniques - you may feed it files generated by the fuzzer, or issue HTTP requests etc. Do keep in mind that different approaches will have to be used if you need to fuzz your application instead of the parser; Defensics will aid in selecting the various classes of inputs that you want in the fuzz inputs, so that you can target your parser, or your application or both.

This might be what you consider "garbage generator", but I'll ask you to check it out anyhow.

Radamsa from Oulu University Secure Programming Group is free general purpose fuzzer. You can get fuzzing with it really easily. Give it some example files and Radamsa generates fuzzed files for you.

The different fuzzers included can do from simple bit flips to complex learning of the structure and fuzzing it.

The code can be found from Google Code.

Fuzz-testing XML-parser

Tags:

xml

xsd

fuzzing

p4553d

People also ask

2 Answers

Vineet Reynolds

oherrala

Recent Activity

Donate For Us

Fuzz-testing XML-parser

Tags:

xml

xsd

fuzzing

p4553d

People also ask

2 Answers

Vineet Reynolds

oherrala

Related questions

Recent Activity

Donate For Us