npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

shfzlib

v0.0.3

Published

Scenario-based fuzzing test execution tool's scenario library

Downloads

5

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

hi120kihi120ki

Keywords

Readme

shfzlib

GitHub npm npm

Scenario-based fuzzing test execution tool's scenario library.

Install

https://www.npmjs.com/package/shfzlib

npm i shfzlib

Setup

Installation of Node.js, npm and shfz/shfz is required.

TypeScript

Setup npm project

$ mkdir fuzz-project
$ cd fuzz-project
$ npm init
$ npm install typescript @types/node shfzlib
$ touch tsconfig.json
{
  "compilerOptions": {
    "target": "esnext",
    "module": "commonjs",
    "moduleResolution": "node",
    "strict": true,
    "skipLibCheck": true,
    "declaration": true,
    "pretty": true,
    "newLine": "lf",
    "outDir": "dist"
  },
  "exclude": [
    "node_modules"
  ]
}

Edit fuzzing scenario script. (For this scenario, fuzz shfz/demo-webapp running in your local environment.)

$ touch scenario.ts
import { Shfzlib, Charset } from "shfzlib";

const sh = new Shfzlib("http://localhost");

(async () => {
  const username = await sh.fuzz.gen("username", Charset.lowercase(), 12, 8, false);
  const password = await sh.fuzz.gen("password", Charset.ascii(), 16, 8, false);

  await sh.http.postForm("POST /register", "/register", { username, password });
  await sh.http.postForm("POST /login", "/login", { username, password });

  const title = await sh.fuzz.gen("title", Charset.lowercase(), 16, 8, false);
  const text = await sh.fuzz.gen("text", Charset.ascii(), 16, 8, false);

  await sh.http.postForm("POST /memo", "/memo", { title, text });

  await sh.http.done();
})();

Run shfz/demo-webapp and shfz server, then execute scenario script by shfz run.

$ cd demo-webapp
$ docker-compose up

$ shfz server
$ ./node_modules/.bin/tsc scenario.ts
$ shfz run -f scenario.js -n 10 -p 1 -t 30

Usage

Initialize

import { Shfzlib, Charset } from "shfzlib";

Shfzlib contains http request function and fuzz generate function. char contains some typical character sets.

const sh = new Shfzlib("http://localhost");

Create an instance of Shfzlib. The argument is baseURL of the web application to be fuzzng.

The session information for a series of http requests is stored in the AxiosInstance. (The cookie is held by axios-cookiejar-support)

fuzz generate fl.fuzz

sh.fuzz.gen("username", Charset.lowercase(), 12, 8, false);

gen(name: string, charset: string, maxLen?: number, minLen?: number, isGenetic?: boolean): Promise<string>;

If isGenetic of sh.fuzz.gen is true and the trace library is installed in the web application, fuzz will be generated by the genetic algorithm.

http request sh.http

This library is an extension of axios, and in many cases allows you to add the same options as in axios. Please refer TypeScript type information for details.

Note : In this script, async/await is used. These http requests need to be wrapped with async.

GET

sh.http.get("API Name", "/path");

get(name: string, url: string, config?: AxiosRequestConfig): Promise<AxiosResponse>;

POST (json)

sh.http.post("API Name", "/path", { "param": param });

post(name: string, url: string, data?: any, config?: AxiosRequestConfig): Promise<AxiosResponse>;

POST (form)

sh.http.postForm("API Name", "/path", { "param": param });

postForm(name: string, url: string, data?: any, config?: AxiosRequestConfig): Promise;

PUT

sh.http.put("API Name", "/path", { "param": param });

put(name: string, url: string, data?: any, config?: AxiosRequestConfig): Promise<AxiosResponse>;

PATCH

sh.http.patch("API Name", "/path", { "param": param });

patch(name: string, url: string, data?: any, config?: AxiosRequestConfig): Promise<AxiosResponse>;

DELETE

sh.http.delete("API Name", "/path");

delete(name: string, url: string, config?: AxiosRequestConfig): Promise<AxiosResponse>;

HEAD

sh.http.head("API Name", "/path");

head(name: string, url: string, config?: AxiosRequestConfig): Promise<AxiosResponse>;

OPTIONS

sh.http.options("API Name", "/path");

options(name: string, url: string, config?: AxiosRequestConfig): Promise<AxiosResponse>;

Finish http request

You need to call await sh.http.done(); to aggregate the errors when all http requests are finished.

Record custom error

You need to call await sh.http.error("error message"); to record custom errors such as whether the response contains certain characters.

Example) check username is in response

import * as c from "cheerio";

...

  let $ = c.load(res.data);
  if($('p[id="user"]').text() !== username) {
    await sh.http.error("No username in response");
  };

Charset

  • Charset.ascii() : !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_'abcdefghijklmnopqrstuvwxyz{|}~
  • Charset.symbol() : !"#$%&'()*+,-./:;<=>?@[\]^_{|}~`
  • Charset.number() : 0123456789
  • Charset.lowercase() : abcdefghijklmnopqrstuvwxyz
  • Charset.uppercase() : ABCDEFGHIJKLMNOPQRSTUVWXYZ

Customize

The scenario is written in Javascript and Typescript, any npm package can be installed.

Here's a digest of the recommended npm packages and how to use them.

Response body check

import * as c from "cheerio";

...

  let res = await sh.http.postForm("login api", "/login", { username, password });
  let $ = c.load(res.data);
  if($('p[id="user"]').text() !== username) {
    await sh.http.error("No username in response");
  };

Generate TOTP

import * as c from "cheerio";
const totp = require("totp-generator");

...

  // get totp_secret by cheerio
  let res = await sh.http.postForm("register api", "/register", { username, password });
  let $ = c.load(res.data);
  let totp_secret = $('p[id="totp"]').text();
  await sh.http.get("/logout");

  // generate one time password by totp package
  const one_time_password = totp(totp_secret)

  // login with one time password
  await sh.http.postForm("login api", "/login", { username, password, totp: one_time_password });

CSRF Token

import * as c from "cheerio";

...

  // get csrf_token
  let res = await fl.http.get("register page", "/register");
  let $ = c.load(res.data);
  let csrf_token = $('input[name="csrf_token"]').val()

  // POST register form with csrf_token
  await fl.http.postForm("register api", "/register", { username, password, csrf_token: csrf_token });