Most computer system intrusions are a result of security vulnerabilities in applications. Detection and identification of security vulnerabilities is an interesting process not only for security experts and system administrators, but also for intruders attempting to penetrate computer systems.

In last couple of years, special attention was given to the technique called fuzzing. This method allows relatively fast detection of critical security vulnerabilities in various applications. Critical security vulnerabilities are usually variations of buffer overflow attacks, which allow an unauthorized user to overwrite critical parts of a vulnerable process memory. The result of exploiting this vulnerability is usually execution of a shellcode, a specially written code that was injected into a process by the unauthorized user in order to get access to the target system.

This paper describes basic fuzzing categories and techniques. Several examples of fuzzing efficiency are also shown in the paper. Examples were produced by Infigo FTPStress Fuzzer tool against FTP protocol.