Fuzzing Overview
Fuzzing in Dochia provides continuous, randomized testing using mutators rather than pre-defined playbooks. This approach allows for exploratory testing and discovery of unexpected vulnerabilities through random mutations of request data.
Unlike structured playbooks that test specific scenarios, fuzzing applies 28 different mutators randomly to generate unpredictable test cases, making it ideal for discovering edge cases and unknown vulnerabilities.
Fuzzing vs Playbooksβ
| Aspect | Playbooks | Fuzzing |
|---|---|---|
| Approach | Structured, predefined test cases | Random, continuous mutations |
| Coverage | Comprehensive, systematic | Exploratory, unpredictable |
| Use Case | Validation, compliance testing | Vulnerability discovery |
| Duration | Fixed test suite | Continuous until stopped |
| Targeting | All endpoints and methods | Single endpoint/method |
Available Mutatorsβ
The fuzzing engine uses 28 mutators that can be grouped into the following categories:
String and Text Mutationsβ
BigListOfNaughtyStringsMutator: Replace fields with known problematic stringsRandomAlphanumericStringMutator: Replace fields with random alphanumeric charactersRandomStringMutator: Replace fields with random Unicode stringsNullStringMutator: Replace fields with null valuesRandomLanguageIdentifiersMutator: Replace fields with programming language keywords
Unicode and Special Charactersβ
RandomAbugidasMutator: Inject random abugidas charactersRandomControlCharsMutator: Replace fields with random control charactersRandomControlCharsInFieldKeysMutator: Insert random control chars in field keysRandomWhitespaceCharsMutator: Replace fields with random whitespace charactersRandomWhitespacesInFieldKeysMutator: Insert random whitespaces in field keysRandomZalgoTextMutator: Replace fields with random zalgo textRandomMultiCodepointEmojisMutator: Replace fields with multi-codepoint emojisRandomSingleCodepointEmojisMutator: Replace fields with single-codepoint emojis
Numeric Mutationsβ
RandomNumberMutator: Replace fields with random long numbersRandomLargeIntegersMutator: Replace fields with random large integersRandomLargeDecimalsMutator: Replace fields with random large decimalsRandomMaxValuesMutator: Replace fields with maximum values for numeric typesRandomMinValuesMutator: Replace fields with minimum values for numeric types
Case Expansion Testingβ
LowercaseExpandingBytesMutator: Replace fields with strings that expand bytes when lowercasedLowercaseExpandingLengthMutator: Replace fields with strings that expand length when lowercasedUppercaseExpandingBytesMutator: Replace fields with strings that expand bytes when uppercasedUppercaseExpandingLengthMutator: Replace fields with strings that expand length when uppercased
Structure and Format Mutationsβ
RandomJsonMutator: Replace body with random invalid JSONRandomPayloadSizeMutator: Replace payload with substring of random lengthRemoveFieldMutator: Remove fields from the request body
Header Mutationsβ
RandomAcceptHeaderMutator: Replace Accept header with random unsupported media typesRandomContentTypeHeaderMutator: Replace Content-Type header with random unsupported media typesRandomTransferEncodingHeaderMutator: Replace Transfer-Encoding header with random values
How to Use Fuzzingβ
β οΈ REQUIRED ARGUMENTS: The
dochia fuzzcommand requires at least one stop condition (--stop-XX) and at least one match condition (--match-XX) to be specified. Fuzzing cannot run without these parameters.
Basic Fuzzingβ
# Basic fuzzing of a POST endpoint (with required stop and match conditions)
dochia fuzz -c api.yml -s https://api.example.com \
-p /users -X POST \
--stop-after-time-in-sec 300 \
--match-response-codes 500
# Fuzzing with authentication
dochia fuzz -c api.yml -s https://api.example.com \
-p /users -X POST \
-H "Authorization=Bearer $TOKEN" \
--stop-after-errors 10 \
--match-input
Time-Based Fuzzingβ
# Run fuzzing for 5 minutes
dochia fuzz -c api.yml -s https://api.example.com \
-p /users -X POST \
--stop-after-time-in-sec 300 \
--match-response-codes 500
# Run fuzzing for 1 hour
dochia fuzz -c api.yml -s https://api.example.com \
-p /users -X POST \
--stop-after-time-in-sec 3600 \
--match-input
Error-Based Stoppingβ
# Stop after finding 10 errors
dochia fuzz -c api.yml -s https://api.example.com \
-p /users -X POST \
--stop-after-errors 10 \
--match-response-codes 500
# Stop after 1000 mutations
dochia fuzz -c api.yml -s https://api.example.com \
-p /users -X POST \
--stop-after-mutations 1000 \
--match-input
Advanced Matchingβ
# Match specific response codes as errors
dochia fuzz -c api.yml -s https://api.example.com \
-p /users -X POST \
--match-response-codes 500,502,503 \
--stop-after-errors 5
# Match responses containing input reflection
dochia fuzz -c api.yml -s https://api.example.com \
-p /users -X POST \
--match-input \
--stop-after-time-in-sec 600
# Match specific response patterns
dochia fuzz -c api.yml -s https://api.example.com \
-p /users -X POST \
--match-response-regex "error|exception|stack" \
--stop-after-mutations 500
Custom Mutatorsβ
# Use custom mutators from a folder
dochia fuzz -c api.yml -s https://api.example.com \
-p /users -X POST \
--mutators ./custom-mutators/ \
--stop-after-time-in-sec 1800 \
--match-response-codes 500
Fuzzing Strategiesβ
Discovery Fuzzingβ
Use fuzzing to discover unknown vulnerabilities and edge cases:
# Long-running discovery fuzzing
dochia fuzz -c api.yml -s https://api.example.com \
-p /api/data -X POST \
--stop-after-time-in-sec 7200 \
--match-response-codes 500 \
--match-input
Targeted Vulnerability Testingβ
Focus on specific vulnerability types:
# Test for injection vulnerabilities
dochia fuzz -c api.yml -s https://api.example.com \
-p /search -X POST \
--match-response-regex "sql|query|database|syntax" \
--stop-after-errors 5
Performance Impact Testingβ
Test for performance degradation:
# Test for slow responses
dochia fuzz -c api.yml -s https://api.example.com \
-p /compute -X POST \
--max-response-time 5000 \
--stop-after-mutations 500 \
--match-response-codes 500
Match Optionsβ
Fuzzing provides powerful matching capabilities to identify interesting responses:
Response Code Matchingβ
--match-response-codes: Match specific HTTP response codes as errors- Example:
--mc 500,502,503matches server errors
Content Matchingβ
--match-input: Flag responses that reflect the fuzzed input--match-response-regex: Match responses against regex patterns--match-response-size: Match specific response sizes--match-response-lines: Match specific line counts--match-response-words: Match specific word counts
Stop Conditionsβ
--stop-after-errors: Stop after finding N errors--stop-after-mutations: Stop after N test cases--stop-after-time-in-sec: Stop after N seconds
Best Practicesβ
1. Start with Short Sessionsβ
# Begin with short fuzzing sessions
dochia fuzz -c api.yml -s https://api.example.com \
-p /endpoint -X POST --st 60
2. Use Appropriate Match Criteriaβ
# Match server errors and input reflection
dochia fuzz -c api.yml -s https://api.example.com \
-p /endpoint -X POST \
--mc 500 --match-input
3. Monitor Resource Usageβ
# Limit request rate for production testing
dochia fuzz -c api.yml -s https://api.example.com \
-p /endpoint -X POST \
--max-requests-per-minute 60
4. Use Error Keywordsβ
# Detect error information leaks
dochia fuzz -c api.yml -s https://api.example.com \
-p /endpoint -X POST \
--error-keywords error-keywords.properties
See Alsoβ
- Body Playbooks - Structured body testing
- Fields Playbooks - Individual field validation
- Headers Playbooks - Header manipulation testing
- Playbooks Overview - General introduction to playbook types
Detailed Guide to Mutatorsβ
String and Text Mutationsβ
BigListOfNaughtyStringsMutatorβ
- Description: Replaces fields with known problematic strings from security research
- Use Case: Tests against common injection patterns and edge cases
- Example: Replaces field with strings like
'; DROP TABLE users; --
RandomLanguageIdentifiersMutatorβ
- Description: Replaces fields with programming language keywords
- Use Case: Tests for code injection and language-specific vulnerabilities
- Example: Replaces field with
SELECT,eval,exec,import
Unicode and Special Charactersβ
RandomZalgoTextMutatorβ
- Description: Replaces fields with zalgo text (combining characters)
- Use Case: Tests Unicode handling and rendering safety
- Example:
TΜΈΜ°ΜΜhΜ·Μ°ΜΎiΜ΅Μ±ΜsΜΆΜ°ΜΜ Μ·Μ°ΜΎiΜ΅Μ±ΜsΜΆΜ°ΜΜ Μ·Μ°ΜΎzΜ΅Μ±ΜaΜΆΜ°ΜΜlΜ·Μ°ΜΎgΜ΅Μ±ΜoΜΆΜ°ΜΜ
RandomControlCharsMutatorβ
- Description: Replaces fields with random control characters
- Use Case: Tests parsing robustness and security filtering
- Example: Fields containing
\x00,\x1F,\x7F
Numeric Mutationsβ
RandomMaxValuesMutatorβ
- Description: Replaces numeric fields with maximum values for their data types
- Use Case: Tests integer overflow and boundary conditions
- Example:
2147483647for int,9223372036854775807for long
RandomLargeDecimalsMutatorβ
- Description: Replaces fields with very large decimal numbers
- Use Case: Tests floating-point handling and precision limits
- Example:
1.7976931348623157E+308
Structure and Format Mutationsβ
RandomJsonMutatorβ
- Description: Replaces request body with malformed JSON
- Use Case: Tests JSON parser robustness
- Example:
{"key": "value" malformed}
RemoveFieldMutatorβ
- Description: Randomly removes fields from request payloads
- Use Case: Tests required field validation
- Example: Removes
emailfield from user registration request