Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/thlorenz/attack

Tool that surfaces problems in your application that render it insecure or may cause it to crash.
https://github.com/thlorenz/attack

Last synced: 15 days ago
JSON representation

Tool that surfaces problems in your application that render it insecure or may cause it to crash.

Awesome Lists containing this project

README 

        
# attack [![build status](https://secure.travis-ci.org/thlorenz/attack.png)](http://travis-ci.org/thlorenz/attack)



Tool that surfaces problems in your application that render it insecure or may cause it to crash.



![assets/attack.gif](assets/attack.gif)



```js

// create sitemap of your server

var attack = require('thlorenz-attack')

var app = require('express')()

  .get('/', function index () { })

  .post('/other', function other () { })



attack.writeRoutes(app)

```



Then use the `attack` cli tool to generate **ab** and **siege** scripts to attack your server.



**Table of Contents**  *generated with [DocToc](https://github.com/thlorenz/doctoc)*



- [Status](#status)

- [Installation](#installation)

- [Usage](#usage)

- [API](#api)

    - [attack::ab(root, routes, opts)](#attackabroot-routes-opts)

    - [attack::siege(root, routes, opts)](#attacksiegeroot-routes-opts)

    - [attack::writeRoutes(app, opts)](#attackwriteroutesapp-opts)

- [Examples](#examples)

  - [Express Example](#express-example)

- [License](#license)



## Status



Only express apps supported at the moment to have sitemap geneated.



## Installation



    npm install thlorenz-attack



## Usage



```

usage: attack 



Surfaces problems in your application that render it insecure or may cause it to crash.

Requires a routes file to have been generated, see https://github.com/thlorenz/attack#attackwriteroutesapp-opts



OPTIONS:



  -h, --help      Print this help message.

  -c, --config    Overrides the default configuration for siege and ab

                  The config file has this format:

                  https://github.com/thlorenz/attack/blob/master/attacks/default-config.json 

  -t, --type      Specifies which kind of attack to generate ('ab' | 'siege') 

  -u, --url       Specifies the root url at which your server accepts requests (including port and protocol)

                  i.e. http://localhost:5000

  -o, --output    Specifies into which file to pipe the output of the 'ab' tool  



EXAMPLES:



Create an ab attack using the default options piping into results.txt



  attack -r ./attack-routes.json -o results.txt -t ab -u http://localhost:5001 > attack.sh



Create a siege attack using the default options



	attack -r ./attack-routes.json -o results.txt -t siege -u http://localhost:5001 > siege-attack.sh &&\



Create a siege attack using a custom config



	attack -r ./attack-routes.json -c ./myconfig.json -o results.txt -t siege -u http://localhost:5001 > siege-attack.sh &&\



Find more examples in the examples/Makefile at https://github.com/thlorenz/attack/blob/master/examples/Makefile

```



The config you can pass looks as follows. It is best if you just copy it from

[here](https://github.com/thlorenz/attack/blob/master/attacks/default-config.json) and then modify it to your

liking.



```json

{

  "siege": {

    "acceptEncoding": "gzip",

    "authorization": null,

    "concurrency": 5,

    "internet": true,

    "keepAlive": true,

    "loginUrl": null,

    "requests": 20

  },

  "ab": {

    "authorization": null,

    "concurrency": 5,

    "jsonFiles": null, "//": "array of JSON file names to be used in Invalid JSON attack",

    "keepAlive": false,

    "requests": 50,

    "url": null,

    "resultFile": "ab-results.txt"

  }

}

```



## API






















attack::ab(root, routes, opts)









Generates a shell script that runs various ab commands in order to expose

ways that an application could be crashed.




Parameters:



Name

Type

Argument

Description



root



String



root url of the server to attack, i.e. http://localhost:3000



routes



Array.<Object>



collected via @see ./lib/write-routes.js



opts



Object



<optional>



options to tweak each attack


Properties



Name

Type

Argument

Description



authorization



String



<optional>



authorization string if required, i.e. 'Authorization: Token abcd1234'



concurrency



Number



<optional>



how many requests to fire in parallel, default: 5



requests



Number



<optional>



how many requests to fire, default: 50



url



String



url at which to fire the requests



resultFile



String



file to which ab results are piped



keepAlive



Boolean



<optional>



if true keep-alive is configured for ab, default: true



jsonFiles



Array.<String>=



<optional>



full paths to JSON files to use as tricky payloads on top of the ones included





Source:












attack::siege(root, routes, opts)









Generates a urls file and an rc file for siege

(brew install siege)




Parameters:



Name

Type

Argument

Description



root



String



root url of the server to attack, i.e. http://localhost:3000



routes



Array.<Object>



collected via @see ./lib/write-routes.js



opts



Object



<optional>



options to tweak each attack


Properties



Name

Type

Argument

Description



authorization



String



<optional>



login/authorization string used in the .siegerc configuration, default: undefined



loginUrl



String



<optional>



loginurl used in the .siegerc configuration, default: undefined



concurrency



Number



<optional>



concurrency of requests send by siege for each url, default: 5



requests



Number



<optional>



number of requests send by siege for each url, default: 20



keepAlive



Boolean



<optional>



if true keep-alive is configured for siege, default: true



internet



Boolean



<optional>



if true siege is configured to submit random requests (simulating internet usage), default: true



acceptEncoding



String



<optional>



accept-encoding specified in .siegerc configuration, default: 'gzip'





Source:












attack::writeRoutes(app, opts)









Writes the routes found on the given app.


Warning: this function throws if the app's type cannot be detected

Warning: this function synchronously writes the routes to the file system


Therefore please run this only during server initialization after all routes were installed


 var attack = require('thlorenz-attack')

var app = require('express')()

.get('/', function index () { })

.post('/other', function other () { })

attack.writeRoutes(app)




Parameters:



Name

Type

Argument

Description



app



Object



the app/server on which the routes are mounted



opts



Object



<optional>



options


Properties



Name

Type

Argument

Description



type



Object



<optional>



the type of the server/framework, will be detected if not supplied



file



Object



<optional>



path to JSON file to write routes to, ./attack-routes.json if not supplied





Source:














*generated with [docme](https://github.com/thlorenz/docme)*




## Examples



Try the examples here as follows:



### Express Example



```

cd examples && npm install

make ab-siege-async

node express-async-error

```



In another terminal



```

sh siege-attack.sh && sh ab-attack.sh

```



Then watch your express app crash after a bit.



## License



MIT