https://github.com/artilleryio/artillery-plugin-fuzzer

Fuzz testing for HTTP APIs with Artillery.io 🌪
https://github.com/artilleryio/artillery-plugin-fuzzer

Last synced: 3 months ago
JSON representation

Fuzz testing for HTTP APIs with Artillery.io 🌪

• Host: GitHub
• URL: https://github.com/artilleryio/artillery-plugin-fuzzer
• Owner: artilleryio
• Created: 2017-05-06T15:25:52.000Z (over 8 years ago)
• Default Branch: master
• Last Pushed: 2022-05-01T21:46:41.000Z (over 3 years ago)
• Last Synced: 2025-06-29T05:45:28.882Z (3 months ago)
• Language: JavaScript
• Homepage:
• Size: 17.6 KB
• Stars: 60
• Watchers: 8
• Forks: 7
• Open Issues: 4
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          

# Artillery Fuzzer - easy fuzzing for HTTP APIs

This plugin makes it dead-easy to run some [fuzz testing](https://en.wikipedia.org/wiki/Fuzzing) (or [monkey testing](https://en.wikipedia.org/wiki/Monkey_testing)) on your HTTP API with [Artillery](https://artillery.io).

The plugin lets you use Artillery to send a lot of **junk** (unexpected and weird payloads) to your API endpoints. You can then monitor your backend for exceptions, errors or crashes, and improve the **security** and **reliability** of your system by fixing any issues uncovered.

The payloads generated by this plugin are based on the awesome [Big List Of Naughty Strings](https://github.com/minimaxir/big-list-of-naughty-strings/), which contains a large number of inputs that are more likely to trigger unexpected behavior in your software.

## Usage

**Important**: this plugin requires Artillery `v1.6.0-0` or later.

Install the plugin with:

```

npm install artillery-plugin-fuzzer

```

Enable the plugin in your test script with:

```yaml

config:

  plugins:

    fuzzer: {}

```

Then just use the `{{ naughtyString }}` variable as you would any other variable in your scenario:

```yaml

- post:

    url: "/session"

    json:

      username: "{{ naughtyString }}"

      password: "secret"

```

A new value for the `naughtyString` variable will be generated for each new request in a scenario.

See the complete example in [`example.yaml`](example.yaml)

# Why?

Runnning a quick test with this plugin against your app's backend can help uncover bugs, security issues and QA problems.

## A Real World Example

Here's a sample payload sent by this plugin:

👾 🙇 💁 🙅 🙆 🙋 🙎 🙍

Something innocent like this could crash your application if it persists data in a MySQL database using the default settings. How? MySQL InnoDB engine uses the `latin1` encoding by default.

Did you set the `utf8` encoding on your database? You're still in trouble because those characters are outside the [BMP](https://en.wikipedia.org/wiki/Plane_(Unicode)#Basic_Multilingual_Plane) and you need to have specified `utf8mb4` and potentially made changes to your schema to be able to store them properly.

Modern software systems are incredibly complex. [If you haven't tried it, assume it's broken](https://landing.google.com/sre/book/chapters/testing-reliability.html).

Happy fuzzing!

# Roadmap

Sending [blns](https://github.com/minimaxir/big-list-of-naughty-strings/) payloads is a good start for a fuzzer, but it's only the first small step. We want to make Artillery a great tool for API fuzz testing. Got an idea for this plugin? Share your feedback in [Issues](https://github.com/shoreditch-ops/artillery-plugin-fuzzer/issues).

# License

MPL 2.0