From appsec
This skill should be used when the user asks to "generate fuzz inputs", "create fuzz tests", "fuzz test generation", "generate test payloads", "create security test cases", or "generate edge case inputs". Also triggers when the user wants intelligent test inputs for input parsers, API endpoints, file format handlers, or needs context-aware injection payloads for security testing.
npx claudepluginhub florianbuetow/claude-code --plugin appsecThis skill uses the workspace's default tool permissions.
Generate intelligent, context-aware fuzz test inputs by analyzing input
Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.
Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.
Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.
Generate intelligent, context-aware fuzz test inputs by analyzing input parsing code. Produces boundary values, type confusion inputs, encoding edge cases, format-specific attacks, and injection payloads tailored to the specific parser and data types in scope. Output is structured JSON test case sets ready for integration with test harnesses.
Read ../../shared/schemas/flags.md for the full flag specification.
| Flag | Fuzz Behavior |
|---|---|
--scope | Identifies which input handlers to generate fuzz inputs for. Default changed. |
--depth quick | Standard boundary values and common injection strings only. |
--depth standard | Context-aware inputs based on code analysis of the parser. |
--depth deep | Standard + format-specific attacks, encoding mutations, and chained payloads. |
--depth expert | Deep + adversarial inputs designed to bypass specific validation logic found in code. |
--severity | Generate inputs targeting vulnerabilities at or above this severity. |
--format | Default json. Use text for human-readable listing. |
Locate input parsing and processing code in scope:
argparse, commander, cobra, clap.For each handler, identify:
Read the code to understand what the parser expects and what it guards against:
For each input field, generate boundary value test cases:
| Input Type | Boundary Values |
|---|---|
| String | Empty "", single char "a", max length, max length + 1, unicode BOM, null bytes "\x00" |
| Number | 0, -1, MAX_INT, MIN_INT, MAX_INT+1, NaN, Infinity, -Infinity, float precision edge cases |
| Array | Empty [], single element, very large array (10000+), nested arrays, mixed types |
| Object | Empty {}, deeply nested (100+ levels), circular reference attempt, prototype keys |
| Boolean | true, false, 0, 1, "", "false", null, undefined |
| Date | Epoch 0, negative timestamp, far future, invalid dates (Feb 30), timezone edge cases |
| File | Empty file, 0-byte, huge file, wrong extension, polyglot file, symlink |
Inputs designed to exploit type coercion and type assumption bugs:
Generate inputs that send the wrong type: string where number expected, array where string expected, object with toString override, deeply nested arrays, null where required, boolean where string expected, numeric string where number expected, and prototype/constructor pollution objects (__proto__, constructor.prototype).
Inputs exploiting encoding and character set handling:
%2527), mixed encoding, overlong UTF-8.&), numeric (&), hex (&), surrogate pairs.\r\n, \r, \n, \x0b, \x0c, \x85, \u2028, \u2029.I/i dotless variants, German ß/SS.Based on how the input is used downstream (identified in Step 1), generate targeted payloads:
| Sink Context | Payload Category |
|---|---|
| SQL query | SQL injection: UNION, boolean blind, time blind, stacked queries, comment-based |
| Shell command | Command injection: semicolons, pipes, backticks, $(), newlines |
| HTML output | XSS: script tags, event handlers, SVG/MathML, template injection |
| File path | Path traversal: ../, null bytes, long paths, reserved names (CON, NUL) |
| URL construction | SSRF: localhost variants, IPv6, DNS rebinding, scheme confusion |
| Regex input | ReDoS: catastrophic backtracking patterns, exponential quantifiers |
| XML parser | XXE: external entity, parameter entity, SSRF via DTD |
| LDAP query | LDAP injection: wildcards, boolean operators, null bytes |
| Header value | Header injection: CRLF, response splitting |
| JSON parser | JSON interoperability: duplicate keys, large numbers, deep nesting |
At --depth deep and above, generate inputs targeting specific file/data formats:
!!python/object).=CMD()), field separator in values, newlines in quoted fields.Organize all generated inputs into structured JSON test case sets:
{
"target": {
"file": "src/api/users.ts",
"function": "createUser",
"input_field": "email",
"expected_type": "string",
"downstream_use": ["sql_query", "html_email"]
},
"generated_at": "2026-02-14T10:30:00Z",
"total_cases": 85,
"test_cases": [
{
"id": "FUZZ-001",
"category": "boundary",
"label": "empty_string",
"input": "",
"expected_behavior": "validation_error",
"targets_cwe": "CWE-20"
},
{
"id": "FUZZ-002",
"category": "injection_sql",
"label": "union_select",
"input": "test@test.com' UNION SELECT * FROM users--",
"expected_behavior": "parameterized_query_prevents_injection",
"targets_cwe": "CWE-89"
}
]
}
Write test case files to .appsec/fuzz/ organized by target.
Fuzz inputs are not findings themselves but may reference CWEs they target.
Finding ID prefix: FUZZ (e.g., FUZZ-001) for test case identification.
metadata.tool: "fuzz"If fuzz testing reveals an actual vulnerability (input causes unexpected behavior), emit a finding using ../../shared/schemas/findings.md.
--depth flag. Quick depth should produce 10-20 inputs. Expert depth can produce hundreds.