Supertest Security
It's a library that allows us to test api endpoints by fuzzing them with malicious payloads that you can choose. It bases on supertest
package.
Installation
npm i -D supertest-security
How to test body fields
For example we want to test:
firstName
field for XSS
and SQLi
lastName
field for XSS
siblings.children
for unix command injection
const { SupertestSecurity, dataPreparation, attacks } = require('supertest-security');
const { SQL_INJECTION, XSS, UNIX_COMMAND_INJECTION } = attacks;
const config = {
endpoint: '/api/endpoint',
method: 'post',
headers: { authorization: 'Bearer authString' },
};
const supertest = new SupertestSecurity(app, config);
const bodyFields = {
firstName: 'John',
lastName: 'Doe',
siblings: {
children: ['Chris', 'Alex'],
},
};
const template = {
name: SQL_INJECTION,
firstName: [SQL_INJECTION, XSS],
lastName: XSS,
siblings: {
children: UNIX_COMMAND_INJECTION,
},
};
const tests = dataPreparation(bodyFields, template);
supertest.testBodyFields(tests, (results) => {
});
How to test query parameters
For example we want to test:
page
param for XSS
and SQLi
search
param for XSS
const { SupertestSecurity, dataPreparation, attacks } = require('supertest-security');
const { SQL_INJECTION, XSS } = attacks;
const config = {
endpoint: '/api/endpoint',
method: 'get',
headers: { authorization: 'Bearer authString' },
};
const supertest = new SupertestSecurity(app, config);
const queryParams = {
page: 0,
search: '',
};
const template = {
page: [SQL_INJECTION, XSS],
search: XSS,
};
const tests = dataPreparation(queryParams, template);
supertest.testQueryParams(tests, (results) => {
});
How to test with custom payloads
const { SupertestSecurity, dataPreparation, attacks } = require('supertest-security');
const { XSS } = attacks;
const CUSTOM_XSS = 'CUSTOM_XSS';
const customPayloads = {
[CUSTOM_XSS]: ['fast', 'and', 'malicious'],
};
const config = {
endpoint: '/api/endpoint',
method: 'get',
headers: { authorization: 'Bearer authString' },
};
const supertest = new SupertestSecurity(app, config);
const queryParams = {
page: 0,
search: '',
};
const template = {
page: [XSS, CUSTOM_XSS],
search: CUSTOM_XSS,
};
const payloads = dataPreparation(correctData, template, customPayloads);
supertest.testQueryParams(tests, (results) => {
});
There's one rule: your custom payloads name shouldn't be same as attacks of supertest-security
! Our suggestion is to add CUSTOM_
to your payloads name.
Contributing