Fuzzing Java Code With the Help of JQF

Fuzzing is the process of automatically feeding potentially corrupt input to a program with the goal to find undesired behavior. While fuzzing is a topic mostly applied to projects in memory unsafe languages such as C and C++, it is getting more frequently applied to other programming languages such as Java. The goals of the fuzzing process are usually different though and range from finding simple errors to finding issues such as Denial of Service (DoS) or Server Side Request Forgery (SSRF). To make the fuzzing process as efficient as possible, modern approaches more and more instrument the code and try to maximize code coverage. The JQF tool is one of the tools that was inspired by the well-known American Fuzzy Lop (AFL) fuzzer and aims to bring coverage-guided fuzzing to Java. JQF allows to integrate fuzzing into a developer's daily process by writing a simple unit test. This talk will give a short introduction and shows what kind of security issues have been found in the past as well as how you can use the power of fuzzing in your development process.