Anyone familiar with computer security should be familiar with the concept of fuzzing. You throw garbage data at a program, over and over again, to see if it crashes. If it does, you might have a security issue. It’s a great way to do automated security testing of software, and has uncovered countless critical issues in software across the board. A popular fuzzing framework, American Fuzzy Lop (usually called afl or afl-fuzz for short), even has a “trophy case” for only a small percentage of the bugs it has uncovered—and there are over 150 bugs listed! Although usually not very intelligent, and limited in the scope of the bugs it can find, fuzzing is a common and effective practice for finding security bugs in software that is complex enough for issues to not be immediately obvious upon source inspection. Being a stochastic process, fuzzing can take a lot of time and careful selection of input cases (for mutational fuzzers) to produce good results. Conversely, it can also be left running processing as a background task for weeks or months with little interaction. As such, fuzzing is often employed in commonly deployed libraries such as libPNG, and widely used software such as Flash. A myriad of different projects use fuzzing to help find bugs, especially as software security comes more to the forefront of engineers’ minds.
A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Develo...