Fuzz testing a simple technique for feeding random input to applications. There are two types of fuzz testing categories:
1. Completely random data
2. Partially incorrect data
Random data is a series of arbitrary bytes sent to the interface that is then read by the interface. Partially incorrect data is data that is accurately formed but that might contain invalid values.
Fuzz testing has the following additional characteristics:
1. If the application crashes or hangs, it is considered to fail the test, otherwise it passes. Note that the application does not have to respond in a sensible manner to the input, and it can even quietly exit.
2. Fuzz testing can be automated to a high degree and results can be compared across applications, operating systems, and vendors. There are plenty of tools that exist to perform automated fuzz testing.
Test Cases
1. Perform random data fuzz testing on web service APIs simultaneously. Use a valid body but random data values. Validate that no application crashes. Use of XML fuzzers can help.
2. For the other web services, send boundary condition values (i.e. -1), various Unicode settings, un-escaped and escaped XML entities, type mismatches (i.e. int instead of string), out-of-range data, malformed fragments (i.e. content length says 2K but is really 1K), extraneous headers, binary garbage, extremely large/small payloads, case variations, extra SOAP headers, nonexistent SOAP methods, using too many methods in SOAP method, too few parameters in SOAP methods.
3. Perform code coverage of the input validation code.