Introducing the FUZZ Testing Tool: Concepts, Architecture, and Practical Results

FUZZ testing, which uses large amounts of random test data to exercise software and monitor for anomalies, has been known for a long time but is still unfamiliar to many testers; it is rarely applied in everyday APP testing despite the popularity of tools like Monkey.

The core idea of FUZZ testing is to generate massive, random data without business purpose, making test preparation cumbersome, and to focus on monitoring software exceptions rather than business logic, which is why it is often used in security testing.

There are two technical modes for FUZZ testing: the growth‑based approach, which creates random data from templates, and the mutation‑based approach, which alters protocol bits after analysis to generate test inputs.

Based on this understanding, we developed a self‑built FUZZ testing tool that automatically generates large volumes of random data (growth mode), executes tests, and compares results. Unlike traditional security‑oriented fuzzers, this tool presents test outcomes and differences rather than merely monitoring the target.

The tool can automatically generate random SQL statements, run them, and display execution status, time, and count. It has identified bugs, uncovered differences between MySQL and DBRouter responses, and revealed variations in SQL syntax parsing and transaction handling within DBRouter.

We have extended the platform to support HTTP FUZZ testing, adopting the usage model of the open‑source WFUZZ tool and integrating its core functions into our existing FUZZ system, thereby broadening the tool’s applicability.

Future improvements include adding sequential execution mode to reduce load on the target system, addressing the current high‑concurrency execution that may exceed realistic usage scenarios, and further enhancing the tool based on user feedback.

FUZZ tool repository: http://autotest.17usoft.com/fuzztest