The Big List of Naughty Strings is an evolving list of strings that are likely to cause issues when used as dynamic user inputs. The list is designed to help quality assurance teams ensure that an application properly sanitizes and displays user inputs, as well as displays helpful error messages.
Manual quality assurance testers can use the text file, blns.txt, which consists of one naughty string per line and comments that are preceded with the pound symbol (#). The comments divide the strings into easy-to-understand sections for copying and pasting into input forms.
The Big List of Naughty Strings
You can also add your own strings that could cause issues. For example, applications using geolocation functionality could experience issues with city names, like "Montréal", "Cañon City", "Lindström" or "Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch" (the longest official one-word place name in Europe).
The Big List of Naughty Strings is an evolving list of strings which have a high probability of causing issues when used as user-input data. This is intended for use in helping both automated and manual QA testing; useful for whenever your QA engineer walks into a bar.
blns.txt consists of newline-delimited strings and comments which are preceded with #. The comments divide the strings into sections for easy manual reading and copy/pasting into input forms. For those who want to access the strings programmatically, a blns.json file is provided containing an array with all the comments stripped out (the scripts folder contains a Python script used to generate the blns.json).
Feel free to send a pull request to add more strings, or additional sections. However, please do not send pull requests with very-long strings (255+ characters), as that makes the list much more difficult to view.
The Big List of Naughty Strings is intended to be used for software you own and manage. Some of the Naughty Strings can indicate security vulnerabilities, and as a result using such strings with third-party software may be a crime. The maintainer is not responsible for any negative actions that result from the use of the list.
My plan was to use the Collection Runner to put each naughty string into my chosen API parameter. To do that, I would need a list of strings in a csv format. The BLNS repo includes a couple files with the strings encoded as base64, which is necessary for the csv parser, so my first quick and dirty solution was just to cut and paste the strings from blns.base64.json into a text file, slap a header on top and save it as a csv.
One conventional tool that testers use to check out if your application can handle odd information is the Big List of Naughty Strings. This article talks about what the list is, how it helps keep your application secure, and ways to automate these tests.
The Big List of Naughty Strings is, well, a list of text strings. However, it's no ordinary list. It has a unique purpose for testing. The strings compiled in the list are a collection of data that, when processed under certain circumstances, can cause problems in a web app.
The list contains various types of strings that can trigger unwanted behavior in your application. Some strings can get used for simple tests such as checking if a form allows and correctly displays Unicode characters for different languages. Other strings are appropriate for security checks like the ones described above. There are even strings that check platform-specific bugs, like the strings that crashed iOS devices in the past.
There are over 500 different strings on the list, so there's plenty to choose and test on your applications. Just open a copy of the list, copy a line of text, and paste it to any input that you can submit to the server. It's a quick and easy way to find issues that developers and testers rarely think about during routine testing.
Still, what fun is it to copy and paste these random strings by hand? Let's experiment with taking the Big List of Naughty Strings and creating automated tests, so we don't have to do all the copying and pasting by hand.
There are a few versions of the Big List of Naughty Strings around the Internet. The source of these strings for this article come from this GitHub repo, which is one of the first and most popular sources of this list. The repo includes a JSON file, set as an array which we can use to access the strings easily in our tests using JavaScript.
We first download the JSON file and place it inside our tests directory under the name blns.json. With the file in the directory, our next step is to read the file and parse the strings contained within so we can use it in our tests.
Now that we have our list of naughty strings in a usable format for our tests let's start using some of those strings as part of our test automation. Inside of the string_check.js file, let's add one more test:
Our new test looks similar to the first test, except for using a random string from the Big List of Naughty Strings. We're checking the array of strings we processed from the list, grabbing a random item inside the array using plain JavaScript, and storing it in the randomString variable. We then use the string in this variable as input and for asserting our variable.
As before, if we see the random string in the test, the string isn't causing any problems, so there's no alert to raise. However, if we don't see the string, we found an issue on the application. Depending on how well-protected a web application is against different types of vulnerabilities, you might not encounter any errors for these strings.
In the case of the Naughty String Checker app, some strings will cause issues since they're not getting adequately sanitized. If your random string happens to be one of those strings, the test fails. That failure indicates that the application contains a potential security vulnerability that developers need to address.
Seeing the test failure helps to see which strings are causing problems in the application. In the test run shown above, the string caused a problem since the browser didn't sanitize this string and executed the script - a potential CSRF or XSS attack.
At the beginning of this article, we mentioned that testers often use this list manually. That's a good start if you're not doing this kind of testing during manual or exploratory testing phases. If you're a tester or developer, you should consider getting into the habit of grabbing a few strings from the list and checking your application's forms.
It's better to handle these checks using automation, as shown in the examples here. When you automate testing your app with these strings, it frees you from the manual steps needed to perform these kinds of tests. Depending on your testing process, you can test a single string or go through multiple strings for variety.
Regardless of how you decide to test, you don't need to check each string in the list. Many of the strings behave in the same manner, and some won't apply in your situation. One good tip is to roll a customized version of the Big List of Naughty Strings for your needs, covering strings that apply in your situation.
You can check some of these strings during manual and exploratory testing. You can also automate these checks to make it easier to spot potential trouble. Finding and squashing these issues before they get to the hands of your users can save tons of headaches for your organization in the future.
Have you or your team used the Big List of Naughty Strings as part of your testing process? What other ways have you used the list to keep your applications running smoothly? I'd love to know - leave a comment below!
Dirty, malformed, and outright mischievous text strings have long been the enemy of interactive website developers. Strings contain any combination of letters, numbers, spaces, and punctuation, and are entered into text boxes on websites by users. These strings in particular can do everything from highlighting XSS vulnerabilities to soliciting 404 error pages.
When looking for vulnerabilities and glitches on your or someone else's website, you could come up with your own text strings to test out, but there are plenty of lists out there that have all that you need already. One such list is called the Big List of Naughty Strings, created and maintained by minimaxir, aka Max Woolf, a Software QA Engineer working in San Fransisco, California.
Minimaxir has been curating this list (at least) as far back as June 2015. The list changes as vulnerabilities are fixed on the server end, and as new ways to cause havoc are discovered. Lists like these are status quo for web developers to check for issues and vulnerabilities on their sites. The lists are also very popular for anyone who wants to stir things up a little by doing much the same. These strings can break websites and worse.
You can find minimaxir's list on his GitHub page, where you can grab it via Git or with a standard HTTP download. You can also just browse the file directly on GitHub. I grabbed the ZIP file by hitting the green "Clone or download" button to the right.
There's far more words and strings than what you see in the above screenshot. This list is 686 lines long, so you'll need to scroll down quite a ways. Comments, set off by #, define the strings by section to save you a bit of time, or better explain the section you're investigating.
Reddit caught wind of this list last month, so you might glean something interesting there from those in the know. However, it seems that Reddit itself is locked down pretty well, since someone posted nearly the entire blns.txt file there and nothing happened.
Fact is, it's harder and harder to mess up sites via text input these days. But you never know until you try! Just keep in mind that if you're using these strings against a site which is not your own, you may find yourself blocked. That means the developers are doing their job right.
If your back end just trusts the data without validating it (as the front end already validates it!) this could be a problem. As long as hackers can get past your front end checks, they are then trusted input and can try to insert malicious strings as input. 2ff7e9595c
Comments