Zero-Width Characters in Field Values
This fuzzer has two flavours, depending on the configured --sanitizationStrategy.
Zero-width characters (such as \u200B, \u200C, \u200D, \uFEFF) are invisible Unicode characters that can be abused to bypass validation, filtering, deduplication, authorization checks, or create visually deceptive values while remaining byte-wise different.
Zero-Width Characters in Field Values SANITIZE_AND_VALIDATE
| Item | Description |
|---|---|
| Full Fuzzer Name | ZeroWidthCharsInValuesFieldsSanitizeValidateFuzzer |
| Log Key | ZWCIV |
| Description | This fuzzer inserts zero-width Unicode characters (e.g. \u200B, \u200C, \u200D, \uFEFF) into otherwise valid field values. With sanitize-then-validate semantics, the expectation is that APIs sanitize away zero-width characters first, leaving a valid value that then passes validation. |
| Enabled by default? | Yes |
| Target field types | All fields (primarily effective on string fields) |
| Expected result when fuzzed field is required | 2XX |
| Expected result when fuzzed field is optional | 2XX |
| Expected result when fuzzed value is not matching field pattern | 2XX |
| Fuzzing logic | Iteratively inserts zero-width characters at various positions inside field values using insertion-based fuzzing strategies. The inserted characters are invisible but change the underlying Unicode sequence. |
| Conditions when this fuzzer will be skipped | When the field is a discriminator (zero-width characters are not meaningful for discriminator logic). |
| HTTP methods that will be skipped | None |
| Reporting | Reports error if: 1. response code is 404; 2. response code is documented but not expected; 3. any unexpected exception. Reports warn if: 1. response code is expected and documented but does not match response schema; 2. response code is expected but not documented; 3. response code is 501. Reports success if: 1. response code is expected, documented, and matches response schema. |
Zero-Width Characters in Field Values VALIDATE_AND_SANITIZE
| Item | Description |
|---|---|
| Full Fuzzer Name | ZeroWidthCharsInValuesFieldsValidateSanitizeFuzzer |
| Log Key | ZWCIV |
| Description | This fuzzer inserts zero-width Unicode characters (e.g. \u200B, \u200C, \u200D, \uFEFF) into otherwise valid field values. With validate-then-sanitize semantics, the expectation is that APIs validate before sanitization and therefore reject the request as invalid when zero-width characters are present. |
| Enabled by default? | Yes |
| Target field types | All fields (primarily effective on string fields) |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively inserts zero-width characters at various positions inside field values using insertion-based fuzzing strategies. The presence of invisible characters should cause validation to fail before sanitization occurs. |
| Conditions when this fuzzer will be skipped | When the field is a discriminator (zero-width characters are not meaningful for discriminator logic). |
| HTTP methods that will be skipped | None |
| Reporting | Reports error if: 1. response code is 404; 2. response code is documented but not expected; 3. any unexpected exception. Reports warn if: 1. response code is expected and documented but does not match response schema; 2. response code is expected but not documented; 3. response code is 501. Reports success if: 1. response code is expected, documented, and matches response schema. |