artilleryio / artillery-plugin-fuzzer Goto Github PK

Hello team!

Thanks for great plugin!
Unfortunately {{naughtyString}} directive doesn`t insert any lines in running scenario.

Scenario:

config:
target: "https://BLABLASITE.com"
processor: "./functions.js"
phases:
- duration: 300
arrivalRate: 1
plugins:
statsd:
host: "ststsdServer"
port: 8125
prefix: "Artillery.PT.Pub1"
config:
plugins:
fuzzer: {}
scenarios:

• name: Search
  weight: 2
  flow:
  • get:
    url: "http://BLABLASITE.com/search.html?q={{naughtyString}}&tab=products"
    afterResponse: "toConsole"

First thanks for this very useful plugin. I've been running it on one of my services and it already proved very valuable.

However, I've been getting an error when using this to fuzz an input that is part of an URL. The URL is example.com/service/{{input}}/prediction, where {{input}} could be any string.

To fuzz it, I wrote the following config:

config:
  plugins:
    fuzzer: {}
  phases:
    - duration: 100 # Test 100 fuzzed values
      arrivalRate: 1 # A single request at a time
  environments:
    dev:
      target: 'http://0.0.0.0:8000'
scenarios:
  - name: "Fuzzed URL input"
    flow:
      - post:
          url: "/1/service/{{naughtyString}}/prediction"
          json:
            query: "What"
      - log: "***** POST fuzzed input: '/1/service/{{ naughtyString }}/prediction'"

This results in some of the requests failing to be sent, returning ERR_UNESCAPED_CHARACTERS:

Started phase 0, duration: 100s @ 16:37:47(+0100) 2020-11-25
..  ***** POST fuzzed input: '/1/service/NIL/prediction'
    ***** POST fuzzed input: '/1/service/LPT1/prediction'
  . ***** POST fuzzed input: '/1/service/''/prediction'
..  ***** POST fuzzed input: '/1/service/<img src=x\x11onerror="javascript:alert(1)">/prediction'
.   ***** POST fuzzed input: '/1/service/`"'><img src=xxx:x \x09onerror=javascript:alert(1)>/prediction'
    ***** POST fuzzed input: '/1/service/ABC<div style="x:\x09expression(javascript:alert(1)">DEF/prediction'
 .. ***** POST fuzzed input: '/1/service/<a href="\x1Cjavascript:javascript:alert(1)" id="fuzzelement1">test</a>/prediction'
  . ***** POST fuzzed input: '/1/service/' OR '1'='1/prediction'
Report @ 16:37:57(+0100) 2020-11-25
Elapsed time: 10 seconds
  Scenarios launched:  9
  Scenarios completed: 8
  Requests completed:  8
  Mean response/sec: 0.89
  Response time (msec):
    min: 1.6
    max: 387.6
    median: 152.9
    p95: 387.6
    p99: 387.6
  Codes:
    404: 8
  Errors:
    ERR_UNESCAPED_CHARACTERS: 1

It's hard to pinpoint which specific value is causing the issue, as the naughty string used is random each time.

• Is there a way to escape the picked value, that's not documented in Artillery's docs nor in this plugin's readme?
• If no, do you think there is a workaround to ignore those badly-escaped values?

For now I'm solving this problem by taking the number of reported ERR_UNESCAPED_CHARACTERS to manually fix the reported stats numbers, but that's not ideal.

Currently the plugin selects strings at random from the list, which does not guarantee that any particular string is sent to the server, and could result in a few thousand runs where not all of the strings end up being sent. I'm not exactly sure how it should be implemented but I'd like to see a mode where this plugin could run all of the strings against an endpoint.

When using the {{naughtyString}} in the Header section, I get the following -

Any idea what could be happening?

Like the title mentions, I added a scenario level hook onto the beforeRequest which resulted in no strings being generated. adding them to individual requests seems to not cause any problems however.