This document describes the fuzz testing infrastructure developed for Apache Axis2/Java, mirroring the approach used for Axis2/C. The implementation is complete and tested but has not yet been submitted to Google's OSS-Fuzz service.
OSS-Fuzz is Google‘s continuous fuzzing service for open source projects. It runs fuzz targets 24/7 on Google’s infrastructure, automatically finding security vulnerabilities and stability bugs. When bugs are found, OSS-Fuzz files issues and provides reproducer test cases.
Fuzz testing (fuzzing) feeds random, malformed, or unexpected data to parsers and processors to find:
Axis2/C has an active OSS-Fuzz integration at: https://github.com/google/oss-fuzz/tree/master/projects/axis2c
The Axis2/C fuzzers target:
fuzz_xml_parser.c - Guththila XML parserfuzz_http_header.c - HTTP header parsingfuzz_url_parser.c - URL/URI parsingfuzz_om_parser.c - AXIOM object modelfuzz_json_parser.c - JSON parsingmodules/fuzz/
├── pom.xml
├── README.md
├── run-fuzzers.sh
└── src/main/java/org/apache/axis2/fuzz/
├── XmlParserFuzzer.java
├── JsonParserFuzzer.java
├── HttpHeaderFuzzer.java
└── UrlParserFuzzer.java
Tests AXIOM/StAX XML parsing for:
public static void fuzzerTestOneInput(FuzzedDataProvider data) { byte[] xmlBytes = data.consumeBytes(MAX_INPUT_SIZE); // Parse with AXIOM and exercise the DOM OMXMLParserWrapper builder = OMXMLBuilderFactory.createOMBuilder(...); OMElement root = builder.getDocumentElement(); exerciseElement(root, 0); }
Tests Gson JSON parsing for:
public static void fuzzerTestOneInput(FuzzedDataProvider data) { byte[] jsonBytes = data.consumeBytes(MAX_INPUT_SIZE); JsonElement element = JsonParser.parseString(jsonString); exerciseElement(element, 0); }
Tests HTTP header parsing for:
public static void fuzzerTestOneInput(FuzzedDataProvider data) { byte[] headerBytes = data.consumeBytes(MAX_INPUT_SIZE); testContentTypeParsing(headerString); testHeaderLineParsing(headerString); testMultipleHeaders(headerString); }
Tests URL/URI parsing for:
public static void fuzzerTestOneInput(FuzzedDataProvider data) { byte[] urlBytes = data.consumeBytes(MAX_INPUT_SIZE); testJavaUrl(urlString); testJavaUri(urlString); testEndpointReference(urlString); testUrlEncoding(urlString); }
Jazzer automatically instruments code with security sanitizers that detect:
All four fuzzers were tested locally with Jazzer against Axis2/Java 2.0.0:
| Fuzzer | Iterations | Duration | Crashes | Security Findings | Result |
|---|---|---|---|---|---|
| XmlParserFuzzer | 2,160,477 | 61s | 0 | 0 | PASS |
| JsonParserFuzzer | 1,681,234 | 61s | 0 | 0 | PASS |
| HttpHeaderFuzzer | 1,206,672 | 61s | 0 | 0 | PASS |
| UrlParserFuzzer | 40,630,962 | 61s | 0 | 0 | PASS |
Total: 45,679,345 fuzzing iterations with zero crashes or security findings.
The successful test run confirms:
No Memory Safety Issues
No Injection Vulnerabilities Detected
Robust Error Handling
Active Security Sanitizers (No Triggers)
The parsers in Axis2/Java 2.0.0 are handling malformed input robustly. While 45.7 million iterations provides good initial confidence, continuous fuzzing via OSS-Fuzz (running 24/7 for months) would provide deeper assurance by exploring billions of code paths.
Google's OSS-Fuzz team is currently reviewing the Axis2/C integration. We are waiting for their response before submitting Axis2/Java to:
OSS-Fuzz submissions require:
Apache Axis2 qualifies on all criteria given its use in enterprise SOAP/REST services.
cd modules/fuzz mvn package -DskipTests
JAVA_OPTS="" jazzer \ --cp=target/axis2-fuzz-2.0.1-SNAPSHOT.jar \ --target_class=org.apache.axis2.fuzz.XmlParserFuzzer \ -max_total_time=3600
./run-fuzzers.sh
Security issues found by fuzzing should be reported to: security@apache.org
Following Apache's coordinated disclosure policy.
Document created: February 5, 2026 Fuzz module tested against Axis2/Java 2.0.0