The reading and unpacking of messages consumes data from third-party sources. While this data is often from a trusted party it's still important to have parsers which do not crash on unexpected input. OWASP mentions that parsing of untrusted data is a major security risk software applications face.
Fuzzing is a testing methodology which generates inputs to execute all codepaths of a parser and discover crashes. We should fuzz the iso8583 parser and pack/unpack code.
The Go standard library has support for fuzzing. We've previously used a third-party library for fuzzing, but with native support we should build a fuzzer using Go's toolchain.
Docs: https://go.dev/doc/fuzz/
The reading and unpacking of messages consumes data from third-party sources. While this data is often from a trusted party it's still important to have parsers which do not crash on unexpected input. OWASP mentions that parsing of untrusted data is a major security risk software applications face.
Fuzzing is a testing methodology which generates inputs to execute all codepaths of a parser and discover crashes. We should fuzz the iso8583 parser and pack/unpack code.
Example for reading data: https://github.com/moov-io/iso8583#parse-the-message-and-access-the-data
The Go standard library has support for fuzzing. We've previously used a third-party library for fuzzing, but with native support we should build a fuzzer using Go's toolchain. Docs: https://go.dev/doc/fuzz/