A fuzzer is a program where we have a file that contains URLs that can be predictable for a specific application or servers. Basically, we do a request for each predictable URL, and if we see that the response is OK, it means that we have found a URL that is not public or is hidden, but later we see that we can access it.

Like most exploitable conditions, the fuzzing process is only useful against systems that improperly sanitize input, or that take more data than they can handle.

In general, the fuzzing process consists of the following phases:

• Identifying the target: To fuzz an application, we have to identify the target application.
• Identifying inputs: The vulnerability exists because the target application accepts a malformed input and processes it without sanitizing.
• Creating fuzz data: After getting all the input parameters, we have to create invalid input data to send to the target application.
• Fuzzing: After creating the fuzz data, we have to send it to the target application. We can use the fuzz data for monitoring exceptions when calling services.
• Determining exploitability: After fuzzing, we have to check the input that caused a crash.