Question 1

How to fuzz a network service with AFL++?

Accepted Answer

Use the network fuzzing guidance in docs/best_practices.md, which involves setting up a proxy or modifying the target to accept inputs via sockets, but it requires manual configuration and isn't as straightforward as stdin-based fuzzing.

Question 2

AFL++ vs libFuzzer: which should I use?

Accepted Answer

AFL++ excels in coverage-guided fuzzing with binary support and advanced mutators, while libFuzzer is better integrated into LLVM for in-process fuzzing of libraries. Choose AFL++ for complex, standalone targets and libFuzzer for lightweight, source-available components.

Question 3

Can AFL++ fuzz Windows programs effectively?

Accepted Answer

Yes, through QEMU mode or Wine compatibility, but performance may be slower and setup more complex compared to native Linux targets, as noted in the binary-only fuzzing documentation.

Question 4

What's the best way to analyze crashes found by AFL++?

Accepted Answer

Use the crashes/ directory output and replay them with tools like gdb; the README suggests generating cores or using debuggers directly, but additional tooling like afl-tmin may be needed for minimization.

Question 5

How do I create a dictionary for AFL++ fuzzing?

Accepted Answer

Follow the guidelines in dictionaries/README.md to craft syntax-aware dictionaries for protocols like HTTP or SQL, which can significantly improve mutation efficiency for structured inputs.

Question 6

Is AFL++ good for fuzzing embedded systems?

Accepted Answer

It can be used via unicorn_mode for emulation, but resource constraints and architecture support may limit effectiveness, requiring custom adjustments not covered in standard tutorials.

AFL++

What is AFL++?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions