explaingit

secfigo/awesome-fuzzing

5,812Audience · developerComplexity · 1/5Setup · easy

TLDR

A curated list of books, courses, videos, tutorials, and tools for learning fuzzing, a security testing technique that feeds programs unexpected input to discover crashes and vulnerabilities traditional testing misses.

Mindmap

mindmap
  root((awesome-fuzzing))
    Learning Resources
      Books
      Free university courses
      Paid training
    Fuzzing Types
      File format fuzzers
      Network protocol
      Browser fuzzing
    Techniques
      Coverage-guided
      Taint analysis
      Symbolic execution
    Practice
      Vulnerable apps
      Anti-fuzzing study
      Directed fuzzing
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Find free university courses and books to build a foundational understanding of fuzzing and vulnerability discovery from scratch.

USE CASE 2

Pick the right fuzzing tool, file format fuzzers, network protocol fuzzers, browser fuzzers, for your specific type of software target.

USE CASE 3

Follow case-study tutorials that walk through fuzzing Windows kernels, browsers, PDF viewers, and image parsers on real targets.

USE CASE 4

Practice fuzzing safely using the list's intentionally vulnerable applications before targeting real-world software.

Getting it running

Difficulty · easy Time to first run · 5min

In plain English

Awesome Fuzzing is a curated reading and resource list for people who want to learn about fuzzing. Fuzzing is a software testing method where a program is fed large amounts of unexpected, random, or malformed input to see if it crashes or behaves incorrectly. Finding those failures reveals security vulnerabilities and bugs that more traditional testing often misses. The list also covers the early stages of exploit development, particularly root cause analysis, which is the process of understanding why a crash happened. The list is organized into several sections. Books come first, covering titles specifically dedicated to fuzzing as well as chapters from broader security books that touch on the topic. Next are courses, split between free options (such as academic lecture series from NYU Poly and Florida State University) and paid training programs from organizations including Offensive Security and SANS. A videos section follows, pulling from conference talks, university lectures, and curated YouTube playlists. The tutorials and blog posts section points to write-ups that explain fuzzing techniques through specific case studies, including examples of fuzzing the Windows kernel, web browsers, PDF viewers, and image parsers. The tools section is grouped by fuzzing type: cloud fuzzers, file format fuzzers, network protocol fuzzers, browser fuzzers, taint analysis tools, and symbolic execution engines, along with essential debugging and disassembly tools commonly used alongside fuzzing. Two additional sections address narrower topics. Vulnerable applications lists intentionally insecure programs that beginners can target to practice without causing real-world harm. Anti-Fuzzing covers techniques that software vendors use to make fuzzing harder, which matters to security researchers studying hardened targets. A directed fuzzing section points to resources on techniques that guide the fuzzer toward specific code paths rather than exploring purely at random. The repository itself contains no code. It is a Markdown file of links, maintained as a community reference.

Copy-paste prompts

Prompt 1
Based on the awesome-fuzzing list, what is the best free course for a developer who wants to learn fuzzing with no prior security background?
Prompt 2
I want to fuzz a custom network protocol implementation. Which tools from awesome-fuzzing are designed for network protocol fuzzing and how do I choose between them?
Prompt 3
Summarize the difference between coverage-guided fuzzing, taint analysis, and symbolic execution as covered in the awesome-fuzzing resources.
Prompt 4
I'm starting to fuzz a browser's JavaScript engine. Which tutorials or case studies from awesome-fuzzing are most relevant to browser fuzzing?
Prompt 5
What anti-fuzzing techniques does the awesome-fuzzing list describe, and how do security researchers typically work around them?
Open on GitHub → Explain another repo

← secfigo on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.