Occurrence

Main Menu

Tutorials

Reference

Fuzzing

Occurrence

Lets imagine we have a target node defined in the XSD file as

  <xs:element name="targetnode">
    <xs:complexType>
      <xs:sequence maxOccurs="2">
        <xs:element name="Child1" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
        <xs:element name="Child2" type="xs:string" maxOccurs="2" />
        <xs:element name="Child3" type="xs:string" />
      </xs:sequence>
    </xs:complexType>
  </xs:element>

And an XML file with

  <pfx:targetnode>
    <pfx:Child1>1</map:Child1>
    <pfx:Child2>2</map:Child2>
    <pfx:Child3>3</map:Child3>
  </pfx:targetnode>

And we use the following Occurrence fuzzing values
• 0
• 1
• 2
• 3
• 10

Occurrence fuzzing uses the XSD file to go through all possible combinations of the children of targetnode. It does not go through combinations of grandchildren (child nodes of its child nodes).

For Occurrence fuzzing it is important to understand that minOccurs and maxOccurs have default values of 1. So an equivalent XSD file would be:

  <xs:element name="targetnode">
    <xs:complexType>
      <xs:sequence minOccurs="1" maxOccurs="2">                                                       // Can occur 1 or 2 times
        <xs:element name="Child1" type="xs:string" minOccurs="0" maxOccurs="unbounded" />             // Can occur 0, 1, 2, 3 and 10 times
        <xs:element name="Child2" type="xs:string" minOccurs="1" maxOccurs="2" />                     // Can occur 1 or 2 times
        <xs:element name="Child3" type="xs:string" minOccurs="1" maxOccurs="1" />                     // Can occur exactly 1 time
      </xs:sequence>
    </xs:complexType>
  </xs:element>

Fuzzware's occurrence fuzzing will basically go through the nodes from top to bottom creating a testcase for all the different number fo times a node can occur. Let's look at the output:

pfx-targetnode-0-Occurrence-0 - This is fuzzing the sequence with occurrence = 1

    <pfx:targetnode>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child2>2</pfx:Child2>
      <pfx:Child3>3</pfx:Child3>
    </pfx:targetnode>

pfx-targetnode-0-Occurrence-1 - This is fuzzing the sequence with occurrence = 2

    <pfx:targetnode>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child2>2</pfx:Child2>
      <pfx:Child3>3</pfx:Child3>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child2>2</pfx:Child2>
      <pfx:Child3>3</pfx:Child3>
    </pfx:targetnode>

pfx-targetnode-0-Occurrence-2 - This is fuzzing Child1 with occurrence = 0

    <pfx:targetnode>
      <pfx:Child2>2</pfx:Child2>
      <pfx:Child3>3</pfx:Child3>
    </pfx:targetnode>

pfx-targetnode-0-Occurrence-3 - This is fuzzing Child1 with occurrence = 1

    <pfx:targetnode>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child2>2</pfx:Child2>
      <pfx:Child3>3</pfx:Child3>
    </pfx:targetnode>

pfx-targetnode-0-Occurrence-4 - This is fuzzing Child1 with occurrence = 2

    <pfx:targetnode>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child2>2</pfx:Child2>
      <pfx:Child3>3</pfx:Child3>
    </pfx:targetnode>

pfx-targetnode-0-Occurrence-5 - This is fuzzing Child1 with occurrence = 3

    <pfx:targetnode>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child2>2</pfx:Child2>
      <pfx:Child3>3</pfx:Child3>
    </pfx:targetnode>

pfx-targetnode-0-Occurrence-6 - This is fuzzing Child1 with occurrence = 10

    <pfx:targetnode>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child2>2</pfx:Child2>
      <pfx:Child3>3</pfx:Child3>
    </pfx:targetnode>

pfx-targetnode-0-Occurrence-7 - This is fuzzing Child2 with occurrence = 1

    <pfx:targetnode>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child2>2</pfx:Child2>
      <pfx:Child3>3</pfx:Child3>
    </pfx:targetnode>

pfx-targetnode-0-Occurrence-8 - This is fuzzing Child2 with occurrence = 2

    <pfx:targetnode>
      <pfx:Child1>1</pfx:Child1>
      <pfx:Child2>2</pfx:Child2>
      <pfx:Child2>2</pfx:Child2>
      <pfx:Child3>3</pfx:Child3>
    </pfx:targetnode>

Note when Fuzzware changes the number of times one child appears, Fuzzware does not alter the number of times the other children appear. Note also that Child3 had minOccurs = 1 and maxOccurs = 1 so there was no occurrence fuzzing to do for it, since it always had to occur exactly once.

Fuzzware uses a quite complicated algorithm to achieve the occurrence fuzzing as it attempts to handle an arbitrary depth of sequence and choice nodes, which complicate things significantly. When a choice node is encountered all the possible children are attempted but Fuzzware needs examples of these children, for this it will take examples from anywhere in the XML.

Design by guenstige.shop-stadt.de & windows forum