- Basic credentials:
{"login": "admin",
"password": "admin"}
- Empty credentials:
{"login": "",
"password": ""}
- Null values:
{"login": null,
"password": null}
- Credentials as numbers:
{"login": 123,
"password": 456}
- Credentials as booleans:
{"login": true,
"password": false}
- Credentials as arrays:
{"login": ["admin"],
"password": ["password"]}
- Credentials as objects:
{"login": {"username": "admin",
"password": {"password": "password"}
}}
- Special characters in credentials:
{"login": "@dm!n",
"password": "p@ssw0rd#"}
- SQL Injection:
{"login": "admin' --",
"password": "password"}
- HTML tags in credentials:
{"login": "<h1>admin</h1>",
"password": "ololo-HTML-XSS"}
- Unicode in credentials:
{"login": "\u0061\u0064\u006D\u0069\u006E",
"password":"\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064"}
- Credentials with escape characters:
{"login": "ad\\nmin",
"password": "pa\\ssword"}
- Credentials with white space:
{"login": " ",
"password": " "}
- Overlong values:
{"login": "a"*10000,
"password": "b"*10000}
- Malformed JSON (missing brace):
{"login": "admin",
"password": "admin"}
- Malformed JSON (extra comma):
{"login": "admin",
"password": "admin",}
- Missing login key:
{"password": "admin"}
- Missing password key:
{"login": "admin"}
- Swapped key values:
{"admin": "login",
"password": "password"}
- Extra keys:
{"login": "admin",
"password": "admin",
"extra": "extra"}
- Missing colon:
{"login" "admin",
"password": "password"}
- Invalid Boolean as credentials:
{"login": yes,
"password": no}
- All keys, no values:
{"": "",
"": ""}
- Nested objects:
{"login": {"innerLogin": "admin",
"password": {"innerPassword": "password"}}}
- Case sensitivity testing:
{"LOGIN": "admin",
"PASSWORD": "password"}
- Login as a number, password as a string:
{"login": 1234,
"password": "password"}
- Login as a string, password as a number:
{"login": "admin",
"password": 1234}
- Repeated keys:
{"login": "admin",
"login": "user",
"password": "password"}
- Single quotes instead of double:
{'login': 'admin',
'password': 'password'}
- Login and password with only special characters:
{"login": "@#$%^&*",
"password": "!@#$%^&*"}
- Unicode escape sequence:
{"login": "\u0041\u0044\u004D\u0049\u004E",
"password":"\u0050\u0041\u0053\u0053\u0057\u004F\u0052\u0044"}
- Value as object instead of string:
{"login": {"$oid":"507c7f79bcf86cd7994f6c0e"},
"password": "password"}}
- Nonexistent variables as values:
{"login": undefined,
"password": undefined}
- Extra nested objects:
{"login": "admin",
"password": "password","extra": {"key1": "value1","key2": "value2"}}
- Hexadecimal values:
{"login": "0x1234",
"password": "0x5678"}
- Extra symbols after valid JSON:
{"login": "admin",
"password": "password"}@@@@@@}
- Only keys, without values:
{"login":,
"password":}
- Insertion of control characters:
{"login": "ad\u0000min",
"password": "pass\u0000word"}
- Long Unicode Strings:
{"login": "\u0061"*10000,
"password": "\u0061"*10000}
- Newline Characters in Strings:
{"login": "ad\nmin",
"password": "pa\nssword"}
- Tab Characters in Strings:
{"login": "ad\tmin",
"password": "pa\tssword"}
- Test with HTML content in Strings:
{"login": "<b>admin",
"password": "password"}
- JSON Injection in Strings:
{"login": "{\"injection\":\"value\"}",
"password": "password"}
- Test with XML content in Strings:
{"login": "admin",
"password": "password"}
- Combination of Number, Strings, and Special characters:
{"login": "ad123min!@",
"password": "pa55w0rd!@"}
- Floating numbers as Strings:
{"login": "123.456",
"password": "789.123"}
- Value as a combination of languages (Here, English and Hindi):
{"login": "adminवà¥à¤¯à¤µà¤¸à¥à¤¥à¤¾à¤ªà¤•",
"password": "passwordपासवरà¥à¤¡"}
- Non-ASCII characters in Strings:
{"login": "∆admin∆",
"password": "∆password∆"}
- Single Character Keys and Values:
{"l": "a",
"p": "p"}
- Use of environment variables:
{"login": "${USER}",
"password": "${PASS}"}
- Backslashes in Strings:
{"login": "ad\\min",
"password": "pa\\ssword"}
- Long strings of special characters:
{"login": "!@#$%^&*()"*1000,
"password": "!@#$%^&*()"*1000}
- Empty Key in JSON:
{"": "admin",
"password": "password"}
- JSON Injection in Key:
{"{\"injection\":\"value\"}": "admin",
"password": "password"}
- Quotation marks in strings:
{"login": "\"admin\"",
"password": "\"password\""}
- Credentials as nested arrays:
{"login": [["admin"]],
"password": [["password"]]}
- Credentials as nested objects:
{"login": {"username": {"value": "admin",
"password": {"password": {"value":"password"}
- Keys as numbers:
{123: "admin",
456: "password"}
- Testing with greater than and less than signs:
{"login": "admin>1",
"password": "<password"}
- Testing with parentheses in credentials:
{"login": "(admin)",
"password": "(password)"}
- Credentials containing slashes:
{"login": "admin/user",
"password": "pass/word"}
- Credentials containing multiple data types:
{"login": ["admin",123,true,null,{"username": ["admin"],
"password": ["password",123,false,null,{"password": "password"]}}}
- Using escape sequences:
{"login": "admin\\r\\n\\t",
"password": "password\\r\\n\\t"}
- Using curly braces in strings:
{"login": "{admin}",
"password": "{password}"}
- Using square brackets in strings:
{"login": "[admin]",
"password": "[password]"}
- Strings with only special characters:
{"login": "!@#$$%^&*()",
"password": "!@#$$%^&*()"}
- Strings with control characters:
{"login": "admin\b\f\n\r\t\v\0",
"password": "password\b\f\n\r\t\v\0"}
- Null characters in strings:
{"login": "admin\0",
"password": "password\0"}
- Exponential numbers as strings:
{"login": "1e5",
"password": "1e10"}
- Hexadecimal numbers as strings:
{"login": "0xabc",
"password": "0x123"}
- Leading zeros in numeric strings:
{"login": "000123",
"password": "000456"}
- Multilingual input (here, English and Korean):
{"login": "admin관리ìž",
"password": "password비밀번호"}
- Extremely long keys:
{"a"*10000: "admin",
"b"*10000: "password"}
- Extremely long unicode strings:
{"login": "\u0061"*10000,
"password": "\u0062"*10000}
- JSON strings with semicolon:
{"login": "admin;",
"password": "password;"}
- JSON strings with backticks:
{"login": "`admin`",
"password": "`password`"}
- JSON strings with plus sign:
{"login": "admin+",
"password": "password+"}
- JSON strings with equal sign:
{"login": "admin=",
"password": "password="}
- Strings with Asterisk (*) Symbol:
{"login": "admin*",
"password": "password*"}
- JSON containing JavaScript code:
{"login": "admin<script>alert('hi')</script>",
"password": "password"}
- Negative numbers as strings:
{"login": "-123",
"password": "-456"}
- Values as URLs:
{"login": "https://admin.com",
"password": "https://password.com"}
- Strings with email format:
{"login": "admin@admin.com",
"password": "password@password.com"}
- Strings with IP address format:
{"login": "192.0.2.0",
"password": "203.0.113.0"}
- Strings with date format:
{"login": "2023-08-03",
"password": "2023-08-04"}
- JSON with exponential values:
{"login": 1e+30,
"password": 1e+30}
- JSON with negative exponential values:
{"login": -1e+30,
"password": -1e+30}
- Using Zero Width Space (U+200B) in strings:
{"login": "admin​",
"password": "password​"}
- Using Zero Width Joiner (U+200D) in strings:
{"login": "adminâ€",
"password": "passwordâ€"}
- JSON with extremely large numbers:
{"login": 12345678901234567890,
"password": 12345678901234567890}
- Strings with backspace characters:
{"login": "admin\b",
"password": "password\b"}
- Test with emoji in strings:
{"login": "admin😀",
"password": "password😀"}
- JSON with comments, although they are not officially supported in JSON:
{/*"login": "admin",
"password": "password"*/}
- JSON with base64 encoded values:
{"login": "YWRtaW4=",
"password": "cGFzc3dvcmQ="}
- Including null byte character (may cause truncation):
{"login": "admin\0",
"password": "password\0"}
- JSON with credentials in scientific notation:
{"login": 1e100,
"password": 1e100}
- Strings with octal values:
{"login": "\141\144\155\151\156",
"password":"\160\141\163\163\167\157\162\144"}
special thanks to wallarm