# ABE — Fuzzing / Disruption Module Specification

## Purpose
This is ABE's core differentiator. Instead of only clicking valid elements,
ABE injects abnormal inputs into forms to provoke unexpected server behavior.

## Architecture
```
src/plugins/fuzzers/
├── FuzzingEngine.ts         ← orchestrator, decides when and how to fuzz
├── strategies/
│   ├── EmptyValueStrategy.ts
│   ├── OversizedStringStrategy.ts
│   ├── SpecialCharsStrategy.ts
│   ├── TypeMismatchStrategy.ts
│   └── BoundaryValueStrategy.ts
└── InputTypeDetector.ts     ← detects field type from DOM attributes
```

## InputTypeDetector

Detects field type from: input[type], input[name], input[placeholder], label text, aria-label.
```typescript
type DetectedInputType =
  | 'email' | 'password' | 'number' | 'date' | 'phone'
  | 'url' | 'search' | 'text' | 'textarea' | 'select' | 'file'
```

## Fuzzing Strategies

### EmptyValueStrategy
Submits forms with all fields empty. Catches missing server-side validation.
Applies to: all input types.
Values: `""`, `" "` (space only), `"\t"` (tab).

### OversizedStringStrategy
Submits strings far beyond expected length. Catches buffer issues and UI overflow.
Applies to: text, email, password, textarea.
Values by intensity:
- low: 256 chars
- medium: 1024 chars
- high: 10000 chars + unicode chars

### SpecialCharsStrategy
Injects characters that break SQL, HTML, and shell contexts.
Applies to: text, email, search, textarea.
Values:
```
' OR 1=1 --
<script>alert(1)</script>
../../etc/passwd
${7*7}
\x00\x01\x02
```

### TypeMismatchStrategy
Submits wrong data types for the field.
- email field → "not-an-email", "12345", "@@@"
- number field → "abc", "-999999", "9.9.9", "NaN"
- date field → "yesterday", "32/13/2025", "0000-00-00"
- url field → "javascript:alert(1)", "not a url"
- phone field → "000", "++++", "abcdefghij"

### BoundaryValueStrategy
Tests values at the edges of expected ranges.
- number field → 0, -1, 2147483647, 2147483648, -2147483648
- date field → "1900-01-01", "2099-12-31", "1970-01-01"

## Fuzzing Execution Flow
```
For each form discovered in state:
  1. InputTypeDetector analyzes each field
  2. FuzzingEngine selects strategies based on fuzzingIntensity:
     - low: EmptyValue + TypeMismatch only
     - medium: + OversizedString + BoundaryValue
     - high: + SpecialChars
  3. For each strategy, fill all fields with fuzz values
  4. Submit the form
  5. Observe response via AnomalyDetector
  6. Record results
```

## AnomalyDetector additions for fuzzing

Add these new anomaly types:
- `validation_bypass` — server accepted clearly invalid input (e.g. submitted empty required email, got 200)
- `server_error_on_fuzz` — server returned 500 on a fuzzed input
- `xss_reflection` — fuzzed script tag appears in response body

## Integration point

FuzzingEngine is called from ExplorationEngine AFTER normal action discovery,
only when `config.fuzzingEnabled === true`.
It is passed as an optional plugin, so the core engine doesn't depend on it directly.