Skip to content
/ supertest-security Public

It's a library that allows us to test api endpoints by fuzzing them with malicious payloads that you can choose.

6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nukuutos/supertest-security

BranchesTags

Repository files navigation

Supertest Security

Supertest Security

It's a library that allows us to test api endpoints by fuzzing them with malicious payloads that you can choose. It bases on supertest package.

Installation

npm i -D supertest-security

Attack payloads

Current payloads that library is using:

  • SQL_INJECTION
  • NOSQL_INJECTION
  • XSS
  • GRAPHQL_INJECTION
  • PATH_TRAVERSAL
  • UNIX_COMMAND_INJECTION
  • WINDOWS_COMMAND_INJECTION

How to test body fields

For example we want to test:

  • firstName field for XSS and SQLi
  • lastName field for XSS
  • siblings.children for unix command injection
const { SupertestSecurity, dataPreparation, attacks } = require('supertest-security');

const { SQL_INJECTION, XSS, UNIX_COMMAND_INJECTION } = attacks;

const config = {
  endpoint: '/api/endpoint',
  method: 'post',
  // possibility to add custom headers
  headers: { authorization: 'Bearer authString' },
};

const supertest = new SupertestSecurity(app, config);

// we need to provide a valid data
const bodyFields = {
  firstName: 'John',
  lastName: 'Doe',
  siblings: {
    children: ['Chris', 'Alex'],
  },
};

const template = {
  name: SQL_INJECTION,
  firstName: [SQL_INJECTION, XSS],
  lastName: XSS,
  siblings: {
    children: UNIX_COMMAND_INJECTION,
  },
};

// creating tests
const tests = dataPreparation(bodyFields, template);

supertest.testBodyFields(tests, (results) => {
  // your custom checks for results
});

How to test query parameters

For example we want to test:

  • page param for XSS and SQLi
  • search param for XSS
const { SupertestSecurity, dataPreparation, attacks } = require('supertest-security');

const { SQL_INJECTION, XSS } = attacks;

const config = {
  endpoint: '/api/endpoint',
  method: 'get',
  // possibility to add custom headers
  headers: { authorization: 'Bearer authString' },
};

const supertest = new SupertestSecurity(app, config);

// we need to provide a valid data
const queryParams = {
  page: 0,
  search: '',
};

const template = {
  page: [SQL_INJECTION, XSS],
  search: XSS,
};

// creating tests
const tests = dataPreparation(queryParams, template);

supertest.testQueryParams(tests, (results) => {
  // your custom checks for results
});

How to test with custom payloads

const { SupertestSecurity, dataPreparation, attacks } = require('supertest-security');

const { XSS } = attacks;

const CUSTOM_XSS = 'CUSTOM_XSS';

const customPayloads = {
  [CUSTOM_XSS]: ['fast', 'and', 'malicious'],
};

const config = {
  endpoint: '/api/endpoint',
  method: 'get',
  // possibility to add custom headers
  headers: { authorization: 'Bearer authString' },
};

const supertest = new SupertestSecurity(app, config);

// we need to provide a valid data
const queryParams = {
  page: 0,
  search: '',
};

const template = {
  page: [XSS, CUSTOM_XSS],
  search: CUSTOM_XSS,
};

// creating tests
const tests = dataPreparation(queryParams, template, customPayloads);

supertest.testQueryParams(tests, (results) => {
  // your custom checks for results
});

There's one rule: your custom payloads name shouldn't be same as attacks of supertest-security! Our suggestion is to add CUSTOM_ to your payloads name.

Contributing

  • We love pull requests!
  • Adding or updating payloads is cool!
  • Adding or updating features is awesome!

About

It's a library that allows us to test api endpoints by fuzzing them with malicious payloads that you can choose.

Topics

api test fuzzing vulnerability endpoint

Resources

Readme
Activity

Stars

6 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

Bug fix Latest
Nov 10, 2022
+ 1 release

Packages

No packages published

Languages