In the same vein as the Generic Protocol Framework, I've written a really simple to use black box testing suite called Simple Fuzzer (what else would you expect?). The goal is to provide a simple to use, but fairly powerful and flexible black box testing utility. Currently, the "premier" black box testing utility is SPIKE. However, SPIKE has a pretty steep learning curve, which is to be expected with something THAT powerful. For my own use though, I didn't need such power, and it turns out that it can be a detriment as it hoses the ability for others to write and run their own black box tests.

Fuzzers typically provide a means to automate negative (or positive) testing for boundary cases. Simple Fuzzer does the same, but merely tries to keep the configuration requirements low. It's really an engine for building fuzzers.


  1. Vivek Ramachandran, Sfuzz Fuzzer Demo,, July 2009.
  2. Lincoln, Introduction to Vulnerability Discovery, The Grey Corner blog, January 2010
  3. Allen, Lee, Advanced Penetration Testing for Highly-Secured Environments, Packt Publishing, 2012.
  4. Ralph LaBarge, Thomas McGuire, Cloud Penetration Testing, International Journal on Cloud Computing: Services and Architecture, December 2012.
  5. João Antunes, Nuno Ferreira Neves, Recycling Test Cases to Detect Security Vulnerabilities, Proceedings of the 23nd Annual International Symposium on Software Reliability Engineering (ISSRE), Dallas, USA, 10 pages, November 2012


The latest SFUZZ development versions are available at:

Latest download here (windows users can get source - requires mingw to build - or binary versions). Current version: 0.7.0

Historical Versions: 0.6.3, 0.6.2, 0.6.1, 0.6, 0.5, 0.4, 0.3, 0.2, 0.1

Last modified: 2014-12-22, 21:25

Copyright © 2011 me