Skip to main content

Only Control Characters

This Fuzzer has 2 flavours depending on the --edgeSpacesStrategy.

Only Control Characters In Fields TRIM_AND_VALIDATE

ItemDescription
Full Fuzzer NameOnlyControlCharsInFieldsTrimValidateFuzzer
Log KeyOCCIF
DescriptionThis fuzzer replaces fields with unicode control characters. The expectation is that APIs will sanitize the input values, thus removing control characters and handle the request as a happy path.
Enabled by default?No. You need to supply --includeControlChars argument
Target field typesAll
Expected result when fuzzed field is required2XX
Expected result when fuzzed field is optional2XX
Expected result when fuzzed value is not matching field pattern2XX
Fuzzing logicIteratively replaces fields with control characters
Conditions when this fuzzer will be skippedWhen field is a discriminator
HTTP methods that will be skippedNone
ReportingReports error if: 1. response code is 404; 2. response code is documented, but not expected; 3. any unexpected exception.

Reports warn if: 1. response code is expected and documented, but not matches response schema; 2. response code is expected, but not documented; 3. response code is 501.

Reports success if: 1. response code is expected, documented and matches response schema.

Only Control Characters In Fields VALIDATE_AND_TRIM

ItemDescription
Full Fuzzer NameOnlyControlCharsInFieldsValidateTrimFuzzer
Log KeyOCCIF
DescriptionThis fuzzer replaces fields with unicode control characters. As the sanitization is assumed post-validation, the expectation is that APIs reject the request as invalid.
Enabled by default?No. You need to supply --includeControlChars argument
Target field typesAll
Expected result when fuzzed field is required4XX
Expected result when fuzzed field is optional4XX
Expected result when fuzzed value is not matching field pattern4XX
Fuzzing logicIteratively replaces fields with control characters
Conditions when this fuzzer will be skippedWhen field is a discriminator
HTTP methods that will be skippedNone
ReportingReports error if: 1. response code is 404; 2. response code is documented, but not expected; 3. any unexpected exception.

Reports warn if: 1. response code is expected and documented, but not matches response schema; 2. response code is expected, but not documented; 3. response code is 501.

Reports success if: 1. response code is expected, documented and matches response schema.