Lately at Pentagrid AG we have been doing research into Java fuzzing. While the ideas of what kind of security vulnerabilities can be found came up already before Pentagrid AG was founded (blog post over in Tobias Ospelt's blog: Java Bugs with and without Fuzzing – AFL-based Java fuzzers and the Java Security Manager), a lot of new research was done in the meantime. While most fuzzers that Tobias evaluated back then didn't really move on until today, the JQF fuzzer took a big leap forward. We strongly recommend trying JQF.
Tobias broke down the process of Java fuzzing into simple steps and presented it at Swiss Cyber Storm mid October 2019 in Bern, Switzerland. While the recording is not published on Youtube yet, you can still grab a ticket for the Black Alps 2019 security conference in Yverdonne-Les-Bain, Switzerland during 07 and 08 November 2019, where he is going to present his findings as well.
JQF's capabilities are really impressive. Stay tuned for a more detailed blog post here after the Blackalps talk.
Update: The recording of the talk at Blackalps is now online.