What is a fuzzer supposed to do? It seems something like randomly injecting some (data) into a network and hoping something significant happens / breaks?
This seems a bit too unlikely - can anyone supply more details?
Pretty much it. You often provide them with a corpus and they start mutating it and trying lots of random data based on it with the goal being to crash code. Fuzzing actually catches a remarkable number of problems with code.
The one I've seen the most of recently in general, and probably the highest quality blogs about it, has been American Fuzzy Loop, AFL: http://lcamtuf.coredump.cx/afl/ there are a number of programs in its treasure chest, I'd encourage looking at a few of the links if you're even remotely curious about the bugs fuzzing can expose.
This one has been making a fair splash in the go community, take a look at the trophy list about a third of the way down the page: https://github.com/dvyukov/go-fuzz
Instead of pure random data, fuzzers can use 'attack heuristics' to try and minimize the search space. These are specific patterns that are more likely to expose bugs, based on previous vulnerabilities and known coding errors. For example using '%n%n%n%n%n' many times to exploit C-style format string stack vulnerabilities.
Mozilla started a project known as FuzzDB to collect these heuristics, although it doesn't appear to have been maintained recently.
Well, you sort of hit the nail on the head, but with a few more advanced techniques to amp the process up.
Essentially, a fuzzer is a vulnerability finding tool that automates the process of injecting randomized values into input fields, and then tracking what breaks. Different modules can create different types of input that are likely to cause certain types of faults. Peruse the documentation of one of the established fuzzers to see it in action (see my other comment.)
Fuzz testing is often used for things like compilers, and involves feeding random input into it attempting to find bugs. It is useful for finding complex behavior and race conditions and stuff.
Cool! I'll admit I haven't had time to give this more than a gloss yet, but the architecture is interesting. I've always wanted to implement a fuzzer. My current fuzzer of choice is Sulley: https://github.com/OpenRCE/sulley
Yeah, it really depends on your use case. Hypothesis is better for unit testing and development. It's a developer's tool. Sulley is better for finding bugs that could lead to vulnerabilities. It's really an infosec tool.
This seems a bit too unlikely - can anyone supply more details?