Prefix Numbers With Zero Fields Fuzzer
| Item | Description |
|---|---|
| Full Fuzzer Name | PrefixNumbersWithZeroFieldsFuzzer |
| Log Key | PNWZF |
| Description | This fuzzer tests type coercion and numeric validation by sending numeric field values as JSON strings with leading zeros (e.g. "00123" instead of 123). It helps detect APIs that silently coerce types, mishandle numeric parsing, or suffer from edge cases such as octal interpretation or string-vs-number comparison bugs. |
| Enabled by default? | Yes |
| Target field types | OpenAPI type integer and number |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively replaces each numeric field value with a string value prefixed with leading zeros: 1. Finds all fields present in the payload whose schema is integer or number. 2. Skips fields with no value set. 3. For each numeric field, generates three variants by prefixing the original value with: 0, 00, 000. 4. Replaces the field value with the resulting string (so the JSON payload contains a quoted value) to preserve leading zeros. 5. Sends each mutated request expecting the API to reject the type mismatch with 4XX. |
| Conditions when this fuzzer will be skipped | When the request payload is empty OR no numeric fields are present in the payload OR a candidate numeric field has no value set. |
| HTTP methods that will be skipped | GET, DELETE, HEAD, TRACE |
| Reporting | Reports success if: 1. The API rejects the numeric-as-string value with a 4XX response (proper type validation). Reports error if: 1. The API accepts the request (e.g., 2XX) despite receiving a numeric field as a string with leading zeros, indicating type coercion or validation gaps. 2. The API returns an unexpected response code when processing the payload. |