An asynchronous, property based fuzzing tool
Snafuzz is a tool that you can use to fuzz your code or project with random data. When a test fails, Snafuzz will automatically search for the minimal input that causes the test to fail.
A simple example:
test("should find a SQL injection", async () => {
const params = new URLSearchParams({ q: string() });
const result = await fetch(tag("http://localhost:3000/?" + params));
expect(result.ok);
});Note that:
- A single
test()is ran for N times or for N seconds until it fails string()function retunrs a different random value each run- If
expect()fails, the test will begin to shrink the input until it finds the minimal input that causes the test to fail
Clone the project and install the dependencies:
yarn # installs node dependenciesWhen you have everything installed, you can run the example test suites from
under packages/example-*.
Snafuzz is meant to make asynchronous property based fuzzing easy:
- It tries to get out of your way as much as possible
- React has made it OK to use hooks, and Snafuzz uses hook-like global API to describe test cases (properties)
- Snafuzz is asynchronous, so you can use it to test your web applications or other asynchronous code
- Need throttling? Just use
await sleep(1000)in your test case, it's "just code"
If you'd like to contribute, please fork the repository and use a feature branch. Pull requests are warmly welcome.
The code in this project is licensed under MIT license.