97 JSON Tests for for Authentication Endpoints link pdf link
- Basic credentials
{
"login": "admin",
"password": "admin"
}
- Empty credentials:
{
"login": "",
"password": ""
}
3- Null values:
{
"login": null,
"password": null
}
- Credentials as numbers:
{
"login": 123,
"password": 456
}
- Credentials as booleans:
{
"login": true,
"password": false
}
- Credentials as arrays:
{
"login": ["admin"],
"password": ["password"]
}
- Credentials as objects:
{
"login": {"username": "admin",
"password": {"password": "password"}}
}
- Special characters in credentials:
{
"login": "@dm!n",
"password": "p@ssw0rd#"
}
- SQL Injection:
{
"login": "admin' --",
"password": "password"
}
- HTML tags in credentials:
{
"login": "<h1>admin</h1>",
"password": "ololo-HTML-XSS"
}
- Unicode in credentials:
{
"login": "\u0061\u0064\u006D\u0069\u006E",
"password":"\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064"
}
- Credentials with escape characters:
{
"login": "ad\\nmin",
"password": "pa\\ssword"
}
- Credentials with white space:
{
"login": " ",
"password": " "
}
- Overlong values:
{
"login": "a"*10000,
"password": "b"*10000
}
- Malformed JSON (missing brace):
{
"login": "admin",
"password": "admin"
}
- Malformed JSON (extra comma):
{
"login": "admin",
"password": "admin",
}
- Missing login key:
{
"password": "admin"
}
- Missing password key:
{
"login": "admin"
}
- Swapped key values:
{
"admin": "login",
"password": "password"
}
- Extra keys:
{
"login": "admin",
"password": "admin",
"extra": "extra"
}
- Missing colon:
{
"login" "admin",
"password": "password"
}
- Invalid Boolean as credentials:
{
"login": yes,
"password": no
}
- All keys, no values:
{
"": "",
"": ""
}
- Nested objects:
{
"login": {"innerLogin": "admin",
"password": {"innerPassword": "password"}}
}
- Case sensitivity testing:
{
"LOGIN": "admin",
"PASSWORD": "password"
}
- Login as a number, password as a string:
{
"login": 1234,
"password": "password"
}
- Login as a string, password as a number:
{
"login": "admin",
"password": 1234
}
- Repeated keys:
{
"login": "admin",
"login": "user",
"password": "password"
}
- Single quotes instead of double:
{
'login': 'admin',
'password': 'password'
}
- Login and password with only special characters:
{
"login": "@#$%^&*",
"password": "!@#$%^&*"
}
- Unicode escape sequence:
{
"login": "\u0041\u0044\u004D\u0049\u004E",
"password":"\u0050\u0041\u0053\u0053\u0057\u004F\u0052\u0044"
}
- Value as object instead of string:
{
"login": {"$oid":
"507c7f79bcf86cd7994f6c0e"},
"password": "password"}
}
- Nonexistent variables as values:
{
"login": undefined,
"password": undefined
}
- Extra nested objects:
{
"login": "admin",
"password": "password",
"extra": {"key1": "value1",
"key2": "value2"}
}
- Hexadecimal values:
{
"login": "0x1234",
"password": "0x5678"
}
- Extra symbols after valid JSON:
{
"login": "admin",
"password": "password"}@@@@@@
}
- Only keys, without values:
{
"login":,
"password":
}
- Insertion of control characters:
{
"login": "ad\u0000min",
"password": "pass\u0000word"
}
- Long Unicode Strings:
{
"login": "\u0061"*10000,
"password": "\u0061"*10000
}
- Newline Characters in Strings:
{
"login": "ad\nmin",
"password": "pa\nssword"
}
- Tab Characters in Strings:
{
"login": "ad\tmin",
"password": "pa\tssword"
}
- Test with HTML content in Strings:
{
"login": "<b>admin",
"password": "password"
}
- JSON Injection in Strings:
{
"login": "{\"injection\":\"value\"}",
"password": "password"
}
- Test with XML content in Strings:
{
"login": "admin",
"password": "password"
}
- Combination of Number, Strings, and Special characters:
{
"login": "ad123min!@",
"password": "pa55w0rd!@"
}
- Use of environment variables:
{
"login": "${USER}",
"password": "${PASS}"
}
- Backslashes in Strings:
{
"login": "ad\\min",
"password": "pa\\ssword"
}
- Long strings of special characters:
{
"login": "!@#$%^&*()"*1000,
"password": "!@#$%^&*()"*1000
}
- Empty Key in JSON:
{
"": "admin",
"password": "password"
}
- JSON Injection in Key:
{
"{\"injection\":\"value\"}
": "admin",
"password": "password"
}
- Quotation marks in strings:
{
"login": "\"admin\"",
"password": "\"password\""
}
- Credentials as nested arrays:
{
"login": [["admin"]],
"password": [["password"]]
}
- Credentials as nested objects:
{
"login": {"username": {"value": "admin",
"password": {"password": {"value":
"password"
}
- Keys as numbers:
{
123: "admin",
456: "password"
}
- Testing with greater than and less than signs:
{
"login": "admin>1",
"password": "<password"
}
- Testing with parentheses in credentials:
{
"login": "(admin)",
"password": "(password)"
}
- Credentials containing slashes:
{
"login": "admin/user",
"password": "pass/word"
}
- Credentials containing multiple data types:
{
"login": ["admin",
123,
true,
null,
{"username": ["admin"],
"password": ["password",
123,
false,
null,
{"password": "password"]}}
}
- Using escape sequences:
{
"login": "admin\\r\\n\\t",
"password": "password\\r\\n\\t"
}
- Using curly braces in strings:
{
"login": "{admin}",
"password": "{password}"
}
- Using square brackets in strings:
{
"login": "[admin]",
"password": "[password]"
}
- Strings with only special characters:
{
"login": "!@#$$%^&*()",
"password": "!@#$$%^&*()"
}
- Strings with control characters:
{
"login": "admin\b\f\n\r\t\v\0",
"password": "password\b\f\n\r\t\v\0"
}
- Null characters in strings:
{
"login": "admin\0",
"password": "password\0"
}
- Exponential numbers as strings:
{
"login": "1e5",
"password": "1e10"
}
- Hexadecimal numbers as strings:
{
"login": "0xabc",
"password": "0x123"
}
- Leading zeros in numeric strings:
{
"login": "000123",
"password": "000456"
}
- Multilingual input (here, English and Korean):
{
"login": "admin관리ìž",
"password": "password비밀번호"
}
- Extremely long keys:
{
"a"*10000: "admin",
"b"*10000: "password"
}
- Extremely long unicode strings:
{
"login": "\u0061"*10000,
"password": "\u0062"*10000
}
- JSON strings with semicolon:
{
"login": "admin;",
"password": "password;"
}
- JSON strings with backticks:
{
"login": "`admin`",
"password": "`password`"
}
- JSON strings with plus sign:
{
"login": "admin+",
"password": "password+"
}
- JSON strings with equal sign:
{
"login": "admin=",
"password": "password="
}
- Strings with Asterisk (*) Symbol:
{
"login": "admin*",
"password": "password*"
}
- JSON containing JavaScript code:
{
"login": "admin<script>alert('hi')</script>",
"password": "password"
}
- Negative numbers as strings:
{
"login": "-123",
"password": "-456"
}
- Values as URLs:
{
"login": "https://admin.com",
"password": "https://password.com"
}
- Strings with email format:
{
"login": "admin@admin.com",
"password": "password@password.com"
}
- Strings with IP address format:
{
"login": "192.0.2.0",
"password": "203.0.113.0"
}
- Strings with date format:
{
"login": "2023-08-03",
"password": "2023-08-04"
}
- JSON with exponential values:
{
"login": 1e+30,
"password": 1e+30
}
- JSON with negative exponential values:
{
"login": -1e+30,
"password": -1e+30
}
- Using Zero Width Space (U+200B) in strings:
{
"login": "admin​",
"password": "password​"
}
- Using Zero Width Joiner (U+200D) in strings:
{
"login": "adminâ€",
"password": "passwordâ€"
}
- JSON with extremely large numbers:
{
"login": 12345678901234567890,
"password": 12345678901234567890
}
- Strings with backspace characters:
{
"login": "admin\b",
"password": "password\b"
}
- Test with emoji in strings:
{
"login": "admin😀",
"password": "password😀"
}
- JSON with comments, although they are not officially supported in JSON:
{
/*"login": "admin",
"password": "password"*/
}
- JSON with base64 encoded values:
{
"login": "YWRtaW4=",
"password": "cGFzc3dvcmQ="
}
- Including null byte character (may cause truncation):
{
"login": "admin\0",
"password": "password\0"
}
- JSON with credentials in scientific notation:
{
"login": 1e100,
"password": 1e100
}
- Strings with octal values:
{
"login": "\141\144\155\151\156",
"password":"\160\141\163\163\167\157\162\144"
}
- writeup
{
root:{
"username": "admin",
"password":"admin"
}
}
- writeup
basic => username=admin
username[]=admin
username[0]=admin
username=admin&username=admin
delete username=admin