json

97 JSON Tests for for Authentication Endpoints link pdf link

  1. Basic credentials

{
"login": "admin",
"password": "admin"
}
  1. Empty credentials:

{
"login": "",
"password": ""
}

3- Null values:

{
"login": null,
"password": null
}
  1. Credentials as numbers:

{
"login": 123,
"password": 456
}
  1. Credentials as booleans:

{
"login": true,
"password": false
}
  1. Credentials as arrays:

{
"login": ["admin"],
"password": ["password"]
}
  1. Credentials as objects:

{
"login": {"username": "admin",
"password": {"password": "password"}}
}
  1. Special characters in credentials:

{
"login": "@dm!n",
"password": "p@ssw0rd#"
}
  1. SQL Injection:

{
"login": "admin' --",
"password": "password"
}
  1. HTML tags in credentials:

{
"login": "<h1>admin</h1>",
"password": "ololo-HTML-XSS"
}
  1. Unicode in credentials:

{
"login": "\u0061\u0064\u006D\u0069\u006E",
"password":"\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064"
}
  1. Credentials with escape characters:

{
"login": "ad\\nmin",
"password": "pa\\ssword"
}
  1. Credentials with white space:

{
"login": " ",
"password": " "
}
  1. Overlong values:

{
"login": "a"*10000,
"password": "b"*10000
}
  1. Malformed JSON (missing brace):

{
"login": "admin",
"password": "admin"
}
  1. Malformed JSON (extra comma):

{
"login": "admin",
"password": "admin",
}
  1. Missing login key:

{
"password": "admin"
}
  1. Missing password key:

{
"login": "admin"
}
  1. Swapped key values:

{
"admin": "login",
"password": "password"
}
  1. Extra keys:

{
"login": "admin",
"password": "admin",
"extra": "extra"
}
  1. Missing colon:

{
"login" "admin",
"password": "password"
}
  1. Invalid Boolean as credentials:

{
"login": yes,
"password": no
}
  1. All keys, no values:

{
"": "",
"": ""
}
  1. Nested objects:

{
"login": {"innerLogin": "admin",
"password": {"innerPassword": "password"}}
}
  1. Case sensitivity testing:

{
"LOGIN": "admin",
"PASSWORD": "password"
}
  1. Login as a number, password as a string:

{
"login": 1234,
"password": "password"
}
  1. Login as a string, password as a number:

{
"login": "admin",
"password": 1234
}
  1. Repeated keys:

{
"login": "admin",
"login": "user",
"password": "password"
}
  1. Single quotes instead of double:

{
'login': 'admin',
'password': 'password'
}
  1. Login and password with only special characters:

{
"login": "@#$%^&*",
"password": "!@#$%^&*"
}
  1. Unicode escape sequence:

{
"login": "\u0041\u0044\u004D\u0049\u004E",
"password":"\u0050\u0041\u0053\u0053\u0057\u004F\u0052\u0044"
}
  1. Value as object instead of string:

{
"login": {"$oid":
"507c7f79bcf86cd7994f6c0e"},
"password": "password"}
}
  1. Nonexistent variables as values:

{
"login": undefined,
"password": undefined
}
  1. Extra nested objects:

{
"login": "admin",
"password": "password",
"extra": {"key1": "value1",
"key2": "value2"}
}
  1. Hexadecimal values:

{
"login": "0x1234",
"password": "0x5678"
}
  1. Extra symbols after valid JSON:

{
"login": "admin",
"password": "password"}@@@@@@
}
  1. Only keys, without values:

{
"login":,
"password":
}
  1. Insertion of control characters:

{
"login": "ad\u0000min",
"password": "pass\u0000word"
}
  1. Long Unicode Strings:

{
"login": "\u0061"*10000,
"password": "\u0061"*10000
}
  1. Newline Characters in Strings:

{
"login": "ad\nmin",
"password": "pa\nssword"
}
  1. Tab Characters in Strings:

{
"login": "ad\tmin",
"password": "pa\tssword"
}
  1. Test with HTML content in Strings:

{
"login": "<b>admin",
"password": "password"
}
  1. JSON Injection in Strings:

{
"login": "{\"injection\":\"value\"}",
"password": "password"
}
  1. Test with XML content in Strings:

{
"login": "admin",
"password": "password"
}
  1. Combination of Number, Strings, and Special characters:

{
"login": "ad123min!@",
"password": "pa55w0rd!@"
}
  1. Use of environment variables:

{
"login": "${USER}",
"password": "${PASS}"
}
  1. Backslashes in Strings:

{
"login": "ad\\min",
"password": "pa\\ssword"
}
  1. Long strings of special characters:

{
"login": "!@#$%^&*()"*1000,
"password": "!@#$%^&*()"*1000
}
  1. Empty Key in JSON:

{
"": "admin",
"password": "password"
}
  1. JSON Injection in Key:

{
"{\"injection\":\"value\"}
": "admin",
"password": "password"
}
  1. Quotation marks in strings:

{
"login": "\"admin\"",
"password": "\"password\""
}
  1. Credentials as nested arrays:

{
"login": [["admin"]],
"password": [["password"]]
}
  1. Credentials as nested objects:

{
"login": {"username": {"value": "admin",
"password": {"password": {"value":
"password"
}
  1. Keys as numbers:

{
123: "admin",
456: "password"
}
  1. Testing with greater than and less than signs:

{
"login": "admin>1",
"password": "<password"
}
  1. Testing with parentheses in credentials:

{
"login": "(admin)",
"password": "(password)"
}
  1. Credentials containing slashes:

{
"login": "admin/user",
"password": "pass/word"
}
  1. Credentials containing multiple data types:

{
"login": ["admin",
123,
true,
null,
{"username": ["admin"],
"password": ["password",
123,
false,
null,
{"password": "password"]}}
}
  1. Using escape sequences:

{
"login": "admin\\r\\n\\t",
"password": "password\\r\\n\\t"
}
  1. Using curly braces in strings:

{
"login": "{admin}",
"password": "{password}"
}
  1. Using square brackets in strings:

{
"login": "[admin]",
"password": "[password]"
}
  1. Strings with only special characters:

{
"login": "!@#$$%^&*()",
"password": "!@#$$%^&*()"
}
  1. Strings with control characters:

{
"login": "admin\b\f\n\r\t\v\0",
"password": "password\b\f\n\r\t\v\0"
}
  1. Null characters in strings:

{
"login": "admin\0",
"password": "password\0"
}
  1. Exponential numbers as strings:

{
"login": "1e5",
"password": "1e10"
}
  1. Hexadecimal numbers as strings:

{
"login": "0xabc",
"password": "0x123"
}
  1. Leading zeros in numeric strings:

{
"login": "000123",
"password": "000456"
}
  1. Multilingual input (here, English and Korean):

{
"login": "admin관리ìž",
"password": "password비밀번호"
}
  1. Extremely long keys:

{
"a"*10000: "admin",
"b"*10000: "password"
}
  1. Extremely long unicode strings:

{
"login": "\u0061"*10000,
"password": "\u0062"*10000
}
  1. JSON strings with semicolon:

{
"login": "admin;",
"password": "password;"
}
  1. JSON strings with backticks:

{
"login": "`admin`",
"password": "`password`"
}
  1. JSON strings with plus sign:

{
"login": "admin+",
"password": "password+"
}
  1. JSON strings with equal sign:

{
"login": "admin=",
"password": "password="
}
  1. Strings with Asterisk (*) Symbol:

{
"login": "admin*",
"password": "password*"
}
  1. JSON containing JavaScript code:

{
"login": "admin<script>alert('hi')</script>",
"password": "password"
}
  1. Negative numbers as strings:

{
"login": "-123",
"password": "-456"
}
  1. Values as URLs:

{
"login": "https://admin.com",
"password": "https://password.com"
}
  1. Strings with email format:

{
"login": "admin@admin.com",
"password": "password@password.com"
}
  1. Strings with IP address format:

{
"login": "192.0.2.0",
"password": "203.0.113.0"
}
  1. Strings with date format:

{
"login": "2023-08-03",
"password": "2023-08-04"
}
  1. JSON with exponential values:

{
"login": 1e+30,
"password": 1e+30
}
  1. JSON with negative exponential values:

{
"login": -1e+30,
"password": -1e+30
}
  1. Using Zero Width Space (U+200B) in strings:

{
"login": "admin​",
"password": "password​"
}
  1. Using Zero Width Joiner (U+200D) in strings:

{
"login": "adminâ€",
"password": "passwordâ€"
}
  1. JSON with extremely large numbers:

{
"login": 12345678901234567890,
"password": 12345678901234567890
}
  1. Strings with backspace characters:

{
"login": "admin\b",
"password": "password\b"
}
  1. Test with emoji in strings:

{
"login": "admin😀",
"password": "password😀"
}
  1. JSON with comments, although they are not officially supported in JSON:

{
/*"login": "admin",
"password": "password"*/
}
  1. JSON with base64 encoded values:

{
"login": "YWRtaW4=",
"password": "cGFzc3dvcmQ="
}
  1. Including null byte character (may cause truncation):

{
"login": "admin\0",
"password": "password\0"
}
  1. JSON with credentials in scientific notation:

{
"login": 1e100,
"password": 1e100
}
  1. Strings with octal values:

{
"login": "\141\144\155\151\156",
"password":"\160\141\163\163\167\157\162\144"
}
  1. writeup

{
root:{
"username": "admin",
"password":"admin"
}
}
  1. writeup

basic => username=admin
username[]=admin
username[0]=admin
username=admin&username=admin
delete username=admin