Homoglyph Enum Fields Fuzzer
| Item | Description |
|---|---|
| Full Fuzzer Name | HomoglyphEnumFieldsFuzzer |
| Log Key | HEF |
| Description | This fuzzer mutates enum values by replacing individual characters with visually similar Unicode homoglyphs (for example Latin A → Greek Α). It is designed to detect Trojan Source–style validation, authorization, or routing bypasses where systems compare enum values visually or inconsistently normalize Unicode input. |
| Enabled by default? | Yes |
| Target field types | OpenAPI fields of type string with a defined enum |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively replaces enum values with homoglyph-altered variants: 1. Reads the original enum value from the request payload. 2. Iterates through each character of the value. 3. When a Unicode homoglyph mapping exists for a character, replaces it with a visually similar character from another Unicode block. 4. Generates one mutated value per replaceable character position. 5. If no homoglyph substitutions are possible, the original value is reused to avoid empty fuzz cases. |
| Conditions when this fuzzer will be skipped | When the field is not a string enum OR the field is not present in the request payload. |
| HTTP methods that will be skipped | None |
| Reporting | Reports error if: 1. The API accepts the homoglyph-altered enum value, indicating a potential validation or authorization bypass. Reports success if: 1. The API correctly rejects the mutated enum value with a documented 4XX response. |