thlorenz-attack
Tool that surfaces problems in your application that render it insecure or may cause it to crash.
Last updated 5 years ago by thlorenz .
MIT · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install thlorenz-attack 
SYNC missed versions from official npm registry.

attack build status

Tool that surfaces problems in your application that render it insecure or may cause it to crash.

assets/attack.gif

// create sitemap of your server
var attack = require('thlorenz-attack')
var app = require('express')()
  .get('/', function index () { })
  .post('/other', function other () { })

attack.writeRoutes(app)

Then use the attack cli tool to generate ab and siege scripts to attack your server.

Table of Contents generated with DocToc

Status

Only express apps supported at the moment to have sitemap geneated.

Installation

npm install thlorenz-attack

Usage

usage: attack <attack-options>

Surfaces problems in your application that render it insecure or may cause it to crash.
Requires a routes file to have been generated, see https://github.com/thlorenz/attack#attackwriteroutesapp-opts

OPTIONS:

  -h, --help      Print this help message.
  -c, --config    Overrides the default configuration for siege and ab
                  The config file has this format:
                  https://github.com/thlorenz/attack/blob/master/attacks/default-config.json 
  -t, --type      Specifies which kind of attack to generate ('ab' | 'siege') 
  -u, --url       Specifies the root url at which your server accepts requests (including port and protocol)
                  i.e. http://localhost:5000
  -o, --output    Specifies into which file to pipe the output of the 'ab' tool  


EXAMPLES:

Create an ab attack using the default options piping into results.txt

  attack -r ./attack-routes.json -o results.txt -t ab -u http://localhost:5001 > attack.sh

Create a siege attack using the default options

	attack -r ./attack-routes.json -o results.txt -t siege -u http://localhost:5001 > siege-attack.sh &&\

Create a siege attack using a custom config

	attack -r ./attack-routes.json -c ./myconfig.json -o results.txt -t siege -u http://localhost:5001 > siege-attack.sh &&\

Find more examples in the examples/Makefile at https://github.com/thlorenz/attack/blob/master/examples/Makefile

The config you can pass looks as follows. It is best if you just copy it from here and then modify it to your liking.

{
  "siege": {
    "acceptEncoding": "gzip",
    "authorization": null,
    "concurrency": 5,
    "internet": true,
    "keepAlive": true,
    "loginUrl": null,
    "requests": 20
  },
  "ab": {
    "authorization": null,
    "concurrency": 5,
    "jsonFiles": null, "//": "array of JSON file names to be used in Invalid JSON attack",
    "keepAlive": false,
    "requests": 50,
    "url": null,
    "resultFile": "ab-results.txt"
  }
}

API

attack::ab(root, routes, opts)

Generates a shell script that runs various ab commands in order to expose ways that an application could be crashed.

Parameters:
Name Type Argument Description
root String

root url of the server to attack, i.e. http://localhost:3000

routes Array.<Object>

collected via @see ./lib/write-routes.js

opts Object <optional>

options to tweak each attack

Properties
Name Type Argument Description
authorization String <optional>

authorization string if required, i.e. 'Authorization: Token abcd1234'

concurrency Number <optional>

how many requests to fire in parallel, default: 5

requests Number <optional>

how many requests to fire, default: 50

url String

url at which to fire the requests

resultFile String

file to which ab results are piped

keepAlive Boolean <optional>

if true keep-alive is configured for ab, default: true

jsonFiles Array.<String>= <optional>

full paths to JSON files to use as tricky payloads on top of the ones included

Source:

attack::siege(root, routes, opts)

Generates a urls file and an rc file for siege (brew install siege)

Parameters:
Name Type Argument Description
root String

root url of the server to attack, i.e. http://localhost:3000

routes Array.<Object>

collected via @see ./lib/write-routes.js

opts Object <optional>

options to tweak each attack

Properties
Name Type Argument Description
authorization String <optional>

login/authorization string used in the .siegerc configuration, default: undefined

loginUrl String <optional>

loginurl used in the .siegerc configuration, default: undefined

concurrency Number <optional>

concurrency of requests send by siege for each url, default: 5

requests Number <optional>

number of requests send by siege for each url, default: 20

keepAlive Boolean <optional>

if true keep-alive is configured for siege, default: true

internet Boolean <optional>

if true siege is configured to submit random requests (simulating internet usage), default: true

acceptEncoding String <optional>

accept-encoding specified in .siegerc configuration, default: 'gzip'

Source:

attack::writeRoutes(app, opts)

Writes the routes found on the given app.

Warning: this function throws if the app's type cannot be detected Warning: this function synchronously writes the routes to the file system

Therefore please run this only during server initialization after all routes were installed

 var attack = require('thlorenz-attack')
var app = require('express')()
.get('/', function index () { })
.post('/other', function other () { })
attack.writeRoutes(app)
Parameters:
Name Type Argument Description
app Object

the app/server on which the routes are mounted

opts Object <optional>

options

Properties
Name Type Argument Description
type Object <optional>

the type of the server/framework, will be detected if not supplied

file Object <optional>

path to JSON file to write routes to, ./attack-routes.json if not supplied

Source:

generated with docme

Examples

Try the examples here as follows:

Express Example

cd examples && npm install
make ab-siege-async
node express-async-error

In another terminal

sh siege-attack.sh && sh ab-attack.sh

Then watch your express app crash after a bit.

License

MIT

Current Tags

  • 0.3.0                                ...           latest (5 years ago)

2 Versions

  • 0.3.0                                ...           5 years ago
  • 0.2.0                                ...           5 years ago
Maintainers (1)
Downloads
Today 0
This Week 0
This Month 0
Last Day 0
Last Week 0
Last Month 0
Dependencies (3)
Dev Dependencies (4)
Dependents (0)
None

Copyright 2014 - 2016 © taobao.org |