Jeffery Dallman on the SDL tools blog introduces MiniFuzzer, a baby fuzz testing tool for folks who’ve never fuzz tested before. Fuzz testing takes a template of known good input files and starts to fuzz them, playing with them, changing bits and bytes, doing all sorts of weird stuff and then firing them into your program to see if it can cause a crash, which it normally does. More “grown up” Fuzz Testers (like Peach) work from a specification of valid input and uses the spec to provide good, bad, and mostly good inputs, again feeding it into an application to see what happens.

Fuzz testing isn’t a substitute for unit tests or more formal tests, in a lot of cases passing a fuzz test indicates that the system handles errors correctly and does not indicate that it gets anything else right – however it’s a relatively low cost test which can reveal a high number of internal problems with the way your code handles input.

With MiniFuzzer you may have some work to do first – it requires that your program takes input as a startup parameter, so if your application is an ASP.NET application it’s time to take that input process code and link it into a command line app for testing. This may seem painful, but when you see your processing code start to fall over you’ll realise it’s probably a good idea :)