Hangul Filler Characters in Field Values
This fuzzer has two flavours, depending on the configured --sanitizationStrategy.
Hangul filler characters (such as \u3164, \uFFA0, \u115F, \u1160) are Unicode characters that are visually empty or near-empty, but still occupy code points. They can be abused to bypass validation, trimming, uniqueness checks, or authorization logic by creating values that look empty or unchanged while being different at the byte/Unicode level.
Hangul Filler Characters in Field Values SANITIZE_AND_VALIDATE
| Item | Description |
|---|---|
| Full Fuzzer Name | HangulFillerFieldsSanitizeValidateFuzzer |
| Log Key | HFF |
| Description | This fuzzer inserts Hangul filler Unicode characters into otherwise valid field values. With sanitize-then-validate semantics, the expectation is that APIs sanitize away Hangul filler characters first, resulting in a clean value that then passes validation. |
| Enabled by default? | Yes |
| Target field types | All fields (primarily effective on string fields) |
| Expected result when fuzzed field is required | 2XX |
| Expected result when fuzzed field is optional | 2XX |
| Expected result when fuzzed value is not matching field pattern | 2XX |
| Fuzzing logic | Iteratively inserts Hangul filler characters (\u3164, \uFFA0, \u115F, \u1160) into field values using insertion-based fuzzing strategies. These characters are visually blank but alter the Unicode representation of the value. |
| Conditions when this fuzzer will be skipped | When the field is not suitable for special-character fuzzing (shared base logic), such as discriminator or unsupported field types. |
| HTTP methods that will be skipped | None |
| Reporting | Reports error if: 1. response code is 404; 2. response code is documented but not expected; 3. any unexpected exception. Reports warn if: 1. response code is expected and documented but does not match response schema; 2. response code is expected but not documented; 3. response code is 501. Reports success if: 1. response code is expected, documented, and matches response schema. |
Hangul Filler Characters in Field Values VALIDATE_AND_SANITIZE
| Item | Description |
|---|---|
| Full Fuzzer Name | HangulFillerFieldsValidateSanitizeFuzzer |
| Log Key | HFF |
| Description | This fuzzer inserts Hangul filler Unicode characters into otherwise valid field values. With validate-then-sanitize semantics, the expectation is that APIs validate before sanitization and therefore reject the request as invalid when Hangul filler characters are present. |
| Enabled by default? | Yes |
| Target field types | All fields (primarily effective on string fields) |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively inserts Hangul filler characters (\u3164, \uFFA0, \u115F, \u1160) into field values using insertion-based fuzzing strategies. Validation is expected to fail before any sanitization takes place. |
| Conditions when this fuzzer will be skipped | When the field is not suitable for special-character fuzzing (shared base logic), such as discriminator or unsupported field types. |
| HTTP methods that will be skipped | None |
| Reporting | Reports error if: 1. response code is 404; 2. response code is documented but not expected; 3. any unexpected exception. Reports warn if: 1. response code is expected and documented but does not match response schema; 2. response code is expected but not documented; 3. response code is 501. Reports success if: 1. response code is expected, documented, and matches response schema. |