What is fuzzing in security testing?

Fuzzing (fuzz testing) is an automated software testing technique that provides random, malformed, or unexpected inputs to a program to discover bugs, crashes, and security vulnerabilities. Fuzzing is particularly effective at finding buffer overflows, memory corruption, assertion failures, and input validation issues. Types: Mutation-based: mutates valid inputs randomly (bit flipping, byte substitution). Generation-based: generates inputs based on file/protocol specifications. Coverage-guided (grey-box): instruments the target binary to measure code coverage and evolve inputs toward unexplored paths — most effective. Tools: AFL++ (American Fuzzy Lop): coverage-guided C/C++ fuzzer. LibFuzzer: LLVM in-process fuzzer. OSS-Fuzz: Google's continuous fuzzing for open-source projects (has found 10,000+ bugs). Burp Suite Intruder: web application fuzzing. Boofuzz: network protocol fuzzing. Google, Microsoft, and Mozilla use continuous fuzzing — it discovered hundreds of CVEs in Chrome, Firefox, and critical libraries.