Fuzzing is one of the key tools in a security researcher’s tool box. It is simple to write a random fuzzer.

Unfortunately, random fuzzing is not very effective for programs that accept complex input languages such as those that expect JSON or any other structure in their input. For these programs, the fuzzing can be much more effective if one has a model of their input structure. A number of such tools exist (1, 2, 3, 4). But how difficult is it to write your own grammar based fuzzer?

The interesting thing is that, a grammar fuzzer is essentially a parser turned inside out. Rather than consuming, we simply output what gets compared. With that idea in mind, let us use one of the simplest parsers – (A PEG parser).

Now, all one needs is a grammar.

The driver is as follows:

This grammar fuzzer can be implemented in pretty much any programming language that supports basic data structures.

What if you want the derivation tree instead? The following modified fuzzer will get you the derivation tree which can be used with fuzzingbook.GrammarFuzzer.tree_to_string

Using it

One problem with the above fuzzer is that it can fail to terminate the recursion. Here is an implementation that uses random expansions until a configurable depth (max_depth) is reached, and beyond that, uses purely non-recursive cheap expansions.

Using it: