artilleryio / artillery-plugin-fuzzer Goto Github PK
View Code? Open in Web Editor NEWFuzz testing for HTTP APIs with Artillery.io ๐ช
Fuzz testing for HTTP APIs with Artillery.io ๐ช
Like the title mentions, I added a scenario level hook onto the beforeRequest which resulted in no strings being generated. adding them to individual requests seems to not cause any problems however.
Currently the plugin selects strings at random from the list, which does not guarantee that any particular string is sent to the server, and could result in a few thousand runs where not all of the strings end up being sent. I'm not exactly sure how it should be implemented but I'd like to see a mode where this plugin could run all of the strings against an endpoint.
Hello team!
Thanks for great plugin!
Unfortunately {{naughtyString}} directive doesn`t insert any lines in running scenario.
config:
target: "https://BLABLASITE.com"
processor: "./functions.js"
phases:
- duration: 300
arrivalRate: 1
plugins:
statsd:
host: "ststsdServer"
port: 8125
prefix: "Artillery.PT.Pub1"
config:
plugins:
fuzzer: {}
scenarios:
First thanks for this very useful plugin. I've been running it on one of my services and it already proved very valuable.
However, I've been getting an error when using this to fuzz an input that is part of an URL. The URL is example.com/service/{{input}}/prediction
, where {{input}}
could be any string.
To fuzz it, I wrote the following config:
config:
plugins:
fuzzer: {}
phases:
- duration: 100 # Test 100 fuzzed values
arrivalRate: 1 # A single request at a time
environments:
dev:
target: 'http://0.0.0.0:8000'
scenarios:
- name: "Fuzzed URL input"
flow:
- post:
url: "/1/service/{{naughtyString}}/prediction"
json:
query: "What"
- log: "***** POST fuzzed input: '/1/service/{{ naughtyString }}/prediction'"
This results in some of the requests failing to be sent, returning ERR_UNESCAPED_CHARACTERS
:
Started phase 0, duration: 100s @ 16:37:47(+0100) 2020-11-25
.. ***** POST fuzzed input: '/1/service/NIL/prediction'
***** POST fuzzed input: '/1/service/LPT1/prediction'
. ***** POST fuzzed input: '/1/service/''/prediction'
.. ***** POST fuzzed input: '/1/service/<img src=x\x11onerror="javascript:alert(1)">/prediction'
. ***** POST fuzzed input: '/1/service/`"'><img src=xxx:x \x09onerror=javascript:alert(1)>/prediction'
***** POST fuzzed input: '/1/service/ABC<div style="x:\x09expression(javascript:alert(1)">DEF/prediction'
.. ***** POST fuzzed input: '/1/service/<a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>/prediction'
. ***** POST fuzzed input: '/1/service/' OR '1'='1/prediction'
Report @ 16:37:57(+0100) 2020-11-25
Elapsed time: 10 seconds
Scenarios launched: 9
Scenarios completed: 8
Requests completed: 8
Mean response/sec: 0.89
Response time (msec):
min: 1.6
max: 387.6
median: 152.9
p95: 387.6
p99: 387.6
Codes:
404: 8
Errors:
ERR_UNESCAPED_CHARACTERS: 1
It's hard to pinpoint which specific value is causing the issue, as the naughty string used is random each time.
For now I'm solving this problem by taking the number of reported ERR_UNESCAPED_CHARACTERS
to manually fix the reported stats numbers, but that's not ideal.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.