Big List of Naughty Strings

The Big List of Naughty Strings is an evolving list of strings which have a high probability of causing issues when used as user-input data. This is intended for use in helping both automated and manual QA testing; useful for whenever your QA engineer walks into a bar.

Why Test Naughty Strings?

Even multi-billion dollar companies with huge amounts of automated testing can't find every bad input. For example, look at what happens when you try to Tweet a zero-width space (U+200B) on Twitter:

Although this is not a malicious error, and typical users aren't Tweeting weird unicode, an "internal server error" for unexpected input is never a positive experience for the user, and may in fact be a symptom of deeper string-validation issues. The Big List of Naughty Strings is intended to help reveal such issues.

Usage

blns.txt consists of newline-delimited strings and comments which are preceded with #. The comments divide the strings into sections for easy manual reading and copy/pasting into input forms. For those who want to access the strings programmatically, a blns.json file is provided containing an array with all the comments stripped out (the scripts folder contains a Python script used to generate the blns.json).

Contributions

Feel free to send a pull request to add more strings, or additional sections. However, please do not send pull requests with very-long strings (255+ characters), as that makes the list much more difficult to view.

Likewise, please do not send pull requests which compromise manual usability of the file. This includes the EICAR test string, which can cause the file to be flagged by antivirus scanners, and files which alter the encoding of blns.txt. Also, do not send a null character (U+0000) string, as it changes the file format on GitHub to binary and renders it unreadable in pull requests. Finally, when adding or removing a string please update all files when you perform a pull request.

Disclaimer

The Big List of Naughty Strings is intended to be used for software you own and manage. Some of the Naughty Strings can indicate security vulnerabilities, and as a result using such strings with third-party software may be a crime. The maintainer is not responsible for any negative actions that result from the use of the list.

Additionally, the Big List of Naughty Strings is not a fully-comprehensive substitute for formal security/penetration testing for your service.

Maintainer/Creator

Max Woolf (@minimaxir)

Social Media Discussions

License

MIT



Big List of Naughty Strings

顽固的字符串的大列表是一个不断发展的字符串列表,当用作用户输入数据时,这些字符串的高概率会导致问题。这是用于帮助自动和手动的质量检测测试;每当您的质量检查工程师进入酒吧时,都很有用。

零宽度空间(U + 200B)时会发生什么:

data-canonical-src

虽然这不是一个恶意的错误,而且典型的用户并不是Tweeting怪异的unicode,但对于意外输入来说,内部服务器错误对用户来说永远不会是一个积极的体验,而且实际上可能是更深层次的字符串的症状,验证问题。淘气串的大清单旨在帮助揭示这些问题。

用法

blns.txt 由换行符分隔的字符串和注释组成,前面是。这些意见将字符串分为几个部分,以便于手动阅读和复制/粘贴到输入表单中。对于希望以编程方式访问字符串的用户,提供了一个 blns.json 文件,其中包含一个包含所有注释的数组( scripts 文件夹包含用于生成 blns.json

贡献

随时发送拉动请求以添加更多字符串或其他部分。但是,请不要发送带有非常长的字符串(255个以上的字符)的拉取请求,因此这个列表难以查看。

同样,请不要发送拉扯请求,这会影响文件的手动可用性。这包括 EICAR测试字符串,可能会导致文件被防病毒扫描程序标记,并且文件会更改编码 blns.txt 。另外,不要发送一个空字符(U + 0000)字符串,因为它将GitHub上的文件格式更改为二进制文件,并将其呈现拉动请求无法读取。最后,添加或删除字符串时,请在执行拉取请求时更新所有文件。

免责声明

淘气之弦的大清单旨在用于您拥有和管理的软件。一些顽皮的字符串可以表示安全漏洞,因此使用这样的字符串与第三方软件可能是犯罪。维护者对使用列表所造成的任何负面行为概不负责。

另外,淘宝网的大名单不是全面的替代您的服务的正式安全/渗透测试。

维护者/创建者

Max Woolf( @minimaxir

社交媒体讨论

许可证

麻省理工学院




相关问题推荐