# Reference > Extensions > Fuzzer

# `fuzzer` - HTTP Fuzz Testing

[`artillery-plugin-fuzzer`](https://github.com/artilleryio/artillery-plugin-fuzzer) makes it easy to run simple [fuzz tests](https://en.wikipedia.org/wiki/Fuzzing) (also known as [monkey tests](https://en.wikipedia.org/wiki/Monkey_testing)) on HTTP endpoints.

The plugin lets you use Artillery to send a lot of unexpected and weird payloads to your API endpoints. You can then monitor your backend for exceptions, errors or crashes, and improve security and reliability of your system by fixing any issues uncovered.

The payloads generated by this plugin are based on the [Big List Of Naughty Strings](https://github.com/minimaxir/big-list-of-naughty-strings/), which contains a large number of inputs that are more likely to trigger unexpected behavior in your software.

> **Info:** This plugin is only compatible with the `http` engine.
> This plugin is not compatible with `before`/`after` hooks.

## Usage

### Install

```sh npm2yarn
npm install artillery-plugin-fuzzer
```

### Use the plugin

Enable the plugin in your test script with:

```yaml
config:
  plugins:
    fuzzer: {}
```

There is no further configuration required.

The plugin creates a unique `naughtyString` variable for each virtual user, which may be used in scenarios as normal, for example:

```yaml
- post:
    url: '/session'
    json:
      username: '{{ naughtyString }}'
      password: 'secret'
```

A new value for the `naughtyString` variable will be generated for each new request in a scenario.

### Debugging

Set `DEBUG=plugin:fuzzer` when running your tests to print out the generated `naughtyString` variable used during the test run.

```sh
DEBUG=plugin:fuzzer artillery run my-script.yaml
```