Artillery can now be used for dead-easy fuzz testing of HTTP APIs with the new fuzzing plugin.

Itโ€™s does not provide true fuzzing yet (i.e. mutating inputs until an error condition is seen), but you can use it to test your endpoints with all kinds of weird and unusual payloads sourced from the awesome Big List Of Naughty Strings.

Emojis Can Crash Your App

Hereโ€™s a sample payload sent by the plugin:

๐Ÿ‘พ ๐Ÿ™‡ ๐Ÿ’ ๐Ÿ™… ๐Ÿ™† ๐Ÿ™‹ ๐Ÿ™Ž ๐Ÿ™

A payload as innocent-looking as that one could crash your application if it persists data in a MySQL database using the default settings. How? MySQL InnoDB engine uses the latin1 encoding by default.

Did you set utf8 on your database? Youโ€™re still in trouble because those characters are outside the BMP and you need to have specified utf8mb4 and probably made changes to your schema to be able to store them properly. This is definitely the kind of issue you want to catch before any real data makes it into the database, because migrating production data is likely to be a pain.

The fuzzer plugin can help you uncover issues like this and many other types of bugs to do with encodings and input sanitization. Modern software is incredibly complex and automated testing is the best way to ensure things are working.

Test Your API

The plugin is available on npm as artillery-plugin-fuzzer (and the source code is on Github). Give it a go, you may like what you can uncover with it.