Jazzer – Modern fuzz testing for the JVM (open-sourced)
github.comI'm one of the engineers behind Jazzer and happy to answer any questions about it.
We also have a blogpost that talks about the most interesting technical aspects of Jazzer: https://blog.code-intelligence.com/engineering-jazzer
Great work Fabian! Nice to see this work becoming open source.
I am pretty new to fuzzing, please correct me if I am wrong: Since Jazzer fuzzes a Java application at runtime, can it be in principle also be used to fuzz a Java app without having it's source code?
Yes, that is exactly how it works, there is nothing that would require source code access.
If you have a Java app packaged as app.jar, all you need to do is write a fuzz target (with the fuzzerTestOneInput function) and package it into e.g. target.jar. Then you can run jazzer with
--cp=app.jar:target.jar --target_class=fuzz.target.Class
Probably biased because I know the authors but still, this is really cool! Anybody using Java should take a look at this!
I love it! Cool to see this happening.