A new generator to test malicious inputs

[alessandro308]

In the middle of a boring Sunday, this idea pops out. We use Faker to fill our e2e test with realistic data. To keep stuff more real, what I'd like to create is a section that generates malicious data.

For instance we fill the user company name field with faker.company.buzzPhrase():.
The problem is that not all the users are good so maybe one of it may try to insert <script>alert('test')</script> in the company name or even worst strings (SQL injections, xss strings etc..)

So the propose can be to add

faker.malicious.string({length: ..})
faker.malicious.email()

and so on, to have malicious input in a valid format for your input to force devs to think about that because otherwise tests fail.

[ST-DDT]

I like the idea, but IMO this is very hard to do generically. E.g. depending on what your target is you have to use different kind of exploits. E.g. script or sql injection. Also for security purposes it is best to actually and repeatedly test for all potential vulnerables instead of a random one that may or may not actually fit the system.

[alessandro308]

I know but if I run tests every night, and we have hours of tests, we can suppose that even using malicious generic string is better than nothing. I mean, if in the generator there are malicious strings for AngularJS, Vue, Angular2+, Django, SQL and Springboot... we don't use all of them but sometimes we are going to be hit by the malicious one for our system...

[matthewmayer]

https://github.com/minimaxir/big-list-of-naughty-strings is always good for this

[matthewmayer]

You can easily load blns.json from that repository into an array and then use faker.helpers.arrayElement to pick one at random.

[alessandro308]

My idea was a bit more refined. From that list, picking a random string doesn't guarantee to get a valid input.
Instead I'd like to generate malicious strings but valid for your use case, ie. an email is a valid email, a string with max length fulfil the length etc etc...

[matthewmayer]

i mean a malicious user will ignore your client-side validation and submit long strings anyway :D

[alessandro308]

You're right but having valid input means I can rely on that function to write my e2e and as a side-effect I'll have potential malicious strings used there... With totally random inputs I cannot use that functions for my tests