Min Greater Than Max Fields Fuzzer
| Item | Description |
|---|---|
| Full Fuzzer Name | MinGreaterThanMaxFieldsFuzzer |
| Log Key | MGTMF |
| Description | This fuzzer tests numeric range validation by deliberately breaking the logical relationship between paired range fields (for example minAmount / maxAmount, from / to, low / high). It sends requests where the lower-bound value is greater than the upper-bound value, verifying that the API correctly rejects invalid ranges. |
| Enabled by default? | Yes |
| Target field types | Numeric fields (integer / number) that form a detectable range pair in the request payload |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | The fuzzer discovers numeric range field pairs based on common naming patterns, then mutates both fields in the same request to violate the range constraint: 1. Identifies candidate pairs using suffix/prefix patterns such as: min/max, from/to, start/end, low/high, lower/upper, gte/lte, gt/lt, floor/ceiling, etc. 2. Reads both values from the payload and proceeds only if both are numbers. 3. If low < high, it swaps the values so that low becomes greater than high. 4. If values are already low >= high, it keeps them as-is (still invalid or borderline) and sends the request. 5. Replaces both fields in the JSON payload and sends a single request expecting 4XX. 6. Uses integer-safe comparison when both numbers are integer types, otherwise compares as doubles. |
| Conditions when this fuzzer will be skipped | When no matching range pairs are found OR when either field value is not a numeric type in the payload. |
| HTTP methods that will be skipped | None |
| Reporting | Reports success if: 1. The API rejects the invalid range with a documented 4XX response. Reports error if: 1. The API accepts the request or returns an unexpected response code when the range constraint is violated. |