- Basic credentials:
{"login": "admin",
"password": "admin"}- Empty credentials:
{"login": "",
"password": ""}- Null values:
{"login": null,
"password": null}- Credentials as numbers:
{"login": 123,
"password": 456}- Credentials as booleans:
{"login": true,
"password": false}- Credentials as arrays:
{"login": ["admin"],
"password": ["password"]}- Credentials as objects:
{"login": {"username": "admin",
"password": {"password": "password"}
}}- Special characters in credentials:
{"login": "@dm!n",
"password": "p@ssw0rd#"}- SQL Injection:
{"login": "admin' --",
"password": "password"}- HTML tags in credentials:
{"login": "<h1>admin</h1>",
"password": "ololo-HTML-XSS"}- Unicode in credentials:
{"login": "\u0061\u0064\u006D\u0069\u006E",
"password":"\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064"}- Credentials with escape characters:
{"login": "ad\\nmin",
"password": "pa\\ssword"}- Credentials with white space:
{"login": " ",
"password": " "}- Overlong values:
{"login": "a"*10000,
"password": "b"*10000}- Malformed JSON (missing brace):
{"login": "admin",
"password": "admin"}- Malformed JSON (extra comma):
{"login": "admin",
"password": "admin",}- Missing login key:
{"password": "admin"}- Missing password key:
{"login": "admin"}- Swapped key values:
{"admin": "login",
"password": "password"}- Extra keys:
{"login": "admin",
"password": "admin",
"extra": "extra"}- Missing colon:
{"login" "admin",
"password": "password"}- Invalid Boolean as credentials:
{"login": yes,
"password": no}- All keys, no values:
{"": "",
"": ""}- Nested objects:
{"login": {"innerLogin": "admin",
"password": {"innerPassword": "password"}}}- Case sensitivity testing:
{"LOGIN": "admin",
"PASSWORD": "password"}- Login as a number, password as a string:
{"login": 1234,
"password": "password"}- Login as a string, password as a number:
{"login": "admin",
"password": 1234}- Repeated keys:
{"login": "admin",
"login": "user",
"password": "password"}- Single quotes instead of double:
{'login': 'admin',
'password': 'password'}- Login and password with only special characters:
{"login": "@#$%^&*",
"password": "!@#$%^&*"}- Unicode escape sequence:
{"login": "\u0041\u0044\u004D\u0049\u004E",
"password":"\u0050\u0041\u0053\u0053\u0057\u004F\u0052\u0044"}- Value as object instead of string:
{"login": {"$oid":"507c7f79bcf86cd7994f6c0e"},
"password": "password"}}- Nonexistent variables as values:
{"login": undefined,
"password": undefined}- Extra nested objects:
{"login": "admin",
"password": "password","extra": {"key1": "value1","key2": "value2"}}- Hexadecimal values:
{"login": "0x1234",
"password": "0x5678"}- Extra symbols after valid JSON:
{"login": "admin",
"password": "password"}@@@@@@}- Only keys, without values:
{"login":,
"password":}- Insertion of control characters:
{"login": "ad\u0000min",
"password": "pass\u0000word"}- Long Unicode Strings:
{"login": "\u0061"*10000,
"password": "\u0061"*10000}- Newline Characters in Strings:
{"login": "ad\nmin",
"password": "pa\nssword"}- Tab Characters in Strings:
{"login": "ad\tmin",
"password": "pa\tssword"}- Test with HTML content in Strings:
{"login": "<b>admin",
"password": "password"}- JSON Injection in Strings:
{"login": "{\"injection\":\"value\"}",
"password": "password"}- Test with XML content in Strings:
{"login": "admin",
"password": "password"}- Combination of Number, Strings, and Special characters:
{"login": "ad123min!@",
"password": "pa55w0rd!@"}- Floating numbers as Strings:
{"login": "123.456",
"password": "789.123"}- Value as a combination of languages (Here, English and Hindi):
{"login": "adminवà¥à¤¯à¤µà¤¸à¥à¤¥à¤¾à¤ªà¤•",
"password": "passwordपासवरà¥à¤¡"}- Non-ASCII characters in Strings:
{"login": "∆admin∆",
"password": "∆password∆"}- Single Character Keys and Values:
{"l": "a",
"p": "p"}- Use of environment variables:
{"login": "${USER}",
"password": "${PASS}"}- Backslashes in Strings:
{"login": "ad\\min",
"password": "pa\\ssword"}- Long strings of special characters:
{"login": "!@#$%^&*()"*1000,
"password": "!@#$%^&*()"*1000}- Empty Key in JSON:
{"": "admin",
"password": "password"}- JSON Injection in Key:
{"{\"injection\":\"value\"}": "admin",
"password": "password"}- Quotation marks in strings:
{"login": "\"admin\"",
"password": "\"password\""}- Credentials as nested arrays:
{"login": [["admin"]],
"password": [["password"]]}- Credentials as nested objects:
{"login": {"username": {"value": "admin",
"password": {"password": {"value":"password"}- Keys as numbers:
{123: "admin",
456: "password"}- Testing with greater than and less than signs:
{"login": "admin>1",
"password": "<password"}- Testing with parentheses in credentials:
{"login": "(admin)",
"password": "(password)"}- Credentials containing slashes:
{"login": "admin/user",
"password": "pass/word"}- Credentials containing multiple data types:
{"login": ["admin",123,true,null,{"username": ["admin"],
"password": ["password",123,false,null,{"password": "password"]}}}- Using escape sequences:
{"login": "admin\\r\\n\\t",
"password": "password\\r\\n\\t"}- Using curly braces in strings:
{"login": "{admin}",
"password": "{password}"}- Using square brackets in strings:
{"login": "[admin]",
"password": "[password]"}- Strings with only special characters:
{"login": "!@#$$%^&*()",
"password": "!@#$$%^&*()"}- Strings with control characters:
{"login": "admin\b\f\n\r\t\v\0",
"password": "password\b\f\n\r\t\v\0"}- Null characters in strings:
{"login": "admin\0",
"password": "password\0"}- Exponential numbers as strings:
{"login": "1e5",
"password": "1e10"}- Hexadecimal numbers as strings:
{"login": "0xabc",
"password": "0x123"}- Leading zeros in numeric strings:
{"login": "000123",
"password": "000456"}- Multilingual input (here, English and Korean):
{"login": "admin관리ìž",
"password": "password비밀번호"}- Extremely long keys:
{"a"*10000: "admin",
"b"*10000: "password"}- Extremely long unicode strings:
{"login": "\u0061"*10000,
"password": "\u0062"*10000}- JSON strings with semicolon:
{"login": "admin;",
"password": "password;"}- JSON strings with backticks:
{"login": "`admin`",
"password": "`password`"}- JSON strings with plus sign:
{"login": "admin+",
"password": "password+"}- JSON strings with equal sign:
{"login": "admin=",
"password": "password="}- Strings with Asterisk (*) Symbol:
{"login": "admin*",
"password": "password*"}- JSON containing JavaScript code:
{"login": "admin<script>alert('hi')</script>",
"password": "password"}- Negative numbers as strings:
{"login": "-123",
"password": "-456"}- Values as URLs:
{"login": "https://admin.com",
"password": "https://password.com"}- Strings with email format:
{"login": "admin@admin.com",
"password": "password@password.com"}- Strings with IP address format:
{"login": "192.0.2.0",
"password": "203.0.113.0"}- Strings with date format:
{"login": "2023-08-03",
"password": "2023-08-04"}- JSON with exponential values:
{"login": 1e+30,
"password": 1e+30}- JSON with negative exponential values:
{"login": -1e+30,
"password": -1e+30}- Using Zero Width Space (U+200B) in strings:
{"login": "admin​",
"password": "password​"}- Using Zero Width Joiner (U+200D) in strings:
{"login": "adminâ€",
"password": "passwordâ€"}- JSON with extremely large numbers:
{"login": 12345678901234567890,
"password": 12345678901234567890}- Strings with backspace characters:
{"login": "admin\b",
"password": "password\b"}- Test with emoji in strings:
{"login": "admin😀",
"password": "password😀"}- JSON with comments, although they are not officially supported in JSON:
{/*"login": "admin",
"password": "password"*/}- JSON with base64 encoded values:
{"login": "YWRtaW4=",
"password": "cGFzc3dvcmQ="}- Including null byte character (may cause truncation):
{"login": "admin\0",
"password": "password\0"}- JSON with credentials in scientific notation:
{"login": 1e100,
"password": 1e100}- Strings with octal values:
{"login": "\141\144\155\151\156",
"password":"\160\141\163\163\167\157\162\144"}special thanks to wallarm