Fullwidth Brackets Fields Fuzzer
| Item | Description |
|---|---|
| Full Fuzzer Name | FullwidthBracketsFieldsFuzzer |
| Log Key | FWBF |
| Description | This fuzzer inserts fullwidth Unicode angle brackets (< U+FF1C and > U+FF1E) into string fields to detect markup and injection filter bypasses. Such characters are visually similar to < and > but may evade naive filtering or validation logic that only checks for ASCII characters. |
| Enabled by default? | Yes |
| Target field types | OpenAPI type string |
| Expected result when fuzzed field is required | 2XX |
| Expected result when fuzzed field is optional | 2XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively replaces string field values by inserting fullwidth angle bracket characters: 1. Uses the Unicode characters < (U+FF1C) and > (U+FF1E). 2. Applies all applicable fuzzing strategies (e.g. replace, prefix, suffix, or embedded insertion depending on field type). 3. Sends each mutated value individually while keeping the rest of the request unchanged. 4. Focuses on bypassing simplistic filters that only block ASCII < and > characters. |
| Conditions when this fuzzer will be skipped | When the field is not suitable for special-character fuzzing (as determined by shared base-field skip logic). |
| HTTP methods that will be skipped | None |
| Reporting | Reports success if: 1. The API accepts the fullwidth bracket characters with a 2XX response, indicating that the service handles Unicode input without breaking or unintended rejection. Reports error if: 1. The API rejects the payload unexpectedly with a non- 2XX response when no pattern violation is present. 2. The API accepts malformed input that violates a declared pattern and should have been rejected with 4XX. |