Fuzz testing for HTTP APIs with Artillery πŸ‡
Switch branches/tags
Nothing to show
Clone or download
Latest commit d5a3867 May 25, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
data feat: Simple fuzzing with BLNS data May 6, 2017
.gitignore chore: Add .gitignore May 6, 2017
README.md Update README.md May 25, 2018
example.yaml doc: Add an example test script May 6, 2017
index.js Update index.js May 14, 2018
package.json 1.0.1 May 6, 2017

README.md

Artillery Fuzzer - easy fuzzing for HTTP APIs

This plugin makes it dead-easy to run some fuzz testing (or monkey testing) on your HTTP API with Artillery.

The plugin lets you use Artillery to send a lot of junk (unexpected and weird payloads) to your API endpoints. You can then monitor your backend for exceptions, errors or crashes, and improve the security and reliability of your system by fixing any issues uncovered.

The payloads generated by this plugin are based on the awesome Big List Of Naughty Strings, which contains a large number of inputs that are more likely to trigger unexpected behavior in your software.

Usage

Important: this plugin requires Artillery v1.6.0-0 or later.

Install the plugin with:

npm install artillery-plugin-fuzzer

Enable the plugin in your test script with:

config:
  plugins:
    fuzzer: {}

Then just use the {{ naughtyString }} variable as you would any other variable in your scenario:

- post:
    url: "/session"
    json:
      username: "{{ naughtyString }}"
      password: "secret"

A new value for the naughtyString variable will be generated for each new request in a scenario.

See the complete example in example.yaml

Why?

Runnning a quick test with this plugin against your app's backend can help uncover bugs, security issues and QA problems.

A Real World Example

Here's a sample payload sent by this plugin:

πŸ‘Ύ πŸ™‡ πŸ’ πŸ™… πŸ™† πŸ™‹ πŸ™Ž πŸ™

Something innocent like this could crash your application if it persists data in a MySQL database using the default settings. How? MySQL InnoDB engine uses the latin1 encoding by default.

Did you set the utf8 encoding on your database? You're still in trouble because those characters are outside the BMP and you need to have specified utf8mb4 and potentially made changes to your schema to be able to store them properly.

Modern software systems are incredibly complex. If you haven't tried it, assume it's broken.

Happy fuzzing!

Roadmap

Sending bnls payloads is a good start for a fuzzer, but it's only the first small step. We want to make Artillery a great tool for API fuzz testing. Got an idea for this plugin? Share your feedback in Issues.

License

MPL 2.0