API Authentication

Test Cases

1. Basic Credentials

{
  "login": "admin",
  "password": "admin"
}

2. Empty Credentials

{
  "login": "",
  "password": ""
}

3. Null Values

{
  "login": null,
  "password": null
}

4. Credentials as Numbers

{
  "login": 123,
  "password": 456
}

6. Credentials as Booleans

{
  "login": true,
  "password": false
}

7. Credentials as Arrays

{
  "login": ["admin"],
  "password": ["password"]
}

8. Credentials as Objects

{
  "login": {"username": "admin", "password": {"password": "password"}}
}

9. Special Characters in Credentials

{
  "login": "@dm!n",
  "password": "p@ssw0rd#"
}

10. SQL Injection

{
  "login": "admin' --",
  "password": "password"
}

11. HTML Tags in Credentials

{
  "login": "<h1> admin </h1>",
  "password": "ololo-HTML-XSS"
}

12. Unicode in Credentials

{
  "login": "\u0061\u0064\u006D\u0069\u006E",
  "password": "\u0070\u0061\u0073\u0073\u0077\u006F\u0072\u0064"
}

13. Credentials with Escape Characters

{
  "login": "ad\\nmin",
  "password": "pa\\ssword"
}

14. Credentials with White Space

{
  "login": " ",
  "password": " "
}

15. Overlong Values

{
  "login": "aaaaaaaaaa... (10000 a's)",
  "password": "bbbbbbbbbb... (10000 b's)"
}

16. Malformed JSON (Missing Brace)

{ "login": "admin", "password": "admin"

17. Malformed JSON (Extra Comma)

{
  "login": "admin",
  "password": "admin",
}

{
  "password": "admin"
}

19. Missing Password Key

{
  "login": "admin"
}

20. Swapped Key Values

{
  "admin": "login",
  "password": "password"
}

21. Extra Keys

{
  "login": "admin",
  "password": "admin",
  "extra": "extra"
}

22. Missing Colon

{
  "login" "admin",
  "password": "password"
}

23. Invalid Boolean as Credentials

{
  "login": yes,
  "password": no
}

25. All Keys, No Values

{
  "": "",
  "": ""
}

26. Nested Objects

{
  "login": {"innerLogin": "admin", "password": {"innerPassword": "password"}}
}

27. Case Sensitivity Testing

{
  "LOGIN": "admin",
  "PASSWORD": "password"
}

{
  "login": 1234,
  "password": "password"
}

{
  "login": "admin",
  "password": 1234
}

30. Repeated Keys

{
  "login": "admin",
  "login": "user",
  "password": "password"
}

31. Single Quotes Instead of Double

{
  'login': 'admin',
  'password': 'password'
}

{
  "login": "@#$%^&*",
  "password": "!@#$%^&*"
}

34. Unicode Escape Sequence

{
  "login": "\u0041\u0044\u004D\u0049\u004E",
  "password": "\u0050\u0041\u0053\u0053\u0057\u004F\u0052\u0044"
}

35. Value as Object Instead of String

{
  "login": {"$oid": "507c7f79bcf86cd7994f6c0e"},
  "password": "password"
}

37. Nonexistent Variables as Values

{
  "login": undefined,
  "password": undefined
}

38. Extra Nested Objects

{
  "login": "admin",
  "password": "password",
  "extra": {"key1": "value1", "key2": "value2"}
}

39. Hexadecimal Values

{
  "login": "0x1234",
  "password": "0x5678"
}

40. Extra Symbols After Valid JSON

{
  "login": "admin",
  "password": "password"
}@@@@@@

41. Only Keys, Without Values

{
  "login":,
  "password":
}

42. Insertion of Control Characters

{
  "login": "ad\u0000min",
  "password": "pass\u0000word"
}

43. Long Unicode Strings

{
  "login": "aaaaaaaaaa... (10000 a's in Unicode)",
  "password": "aaaaaaaaaa... (10000 a's in Unicode)"
}

44. Newline Characters in Strings

{
  "login": "ad\nmin",
  "password": "pa\nssword"
}

45. Tab Characters in Strings

{
  "login": "ad\tmin",
  "password": "pa\tssword"
}

46. Test with HTML Content in Strings

{
  "login": "admin",
  "password": "password"
}

47. JSON Injection in Strings

{
  "login": "{\"injection\":\"value\"}",
  "password": "password"
}

48. Test with XML Content in Strings

{
  "login": "admin",
  "password": "password"
}

49. Combination of Number, Strings, and Special Characters

{
  "login": "ad123min!@",
  "password": "pa55w0rd!@"
}

50. Use of Environment Variables

{
  "login": "${USER}",
  "password": "${PASS}"
}

51. Backslashes in Strings

{
  "login": "ad\\min",
  "password": "pa\\ssword"
}

52. Long Strings of Special Characters

{
  "login": "!@#$%^&*()... (repeated 1000 times)",
  "password": "!@#$%^&*()... (repeated 1000 times)"
}

53. Empty Key in JSON

{
  "": "admin",
  "password": "password"
}

55. JSON Injection in Key

{
  "{\"injection\":\"value\"} ": "admin",
  "password": "password"
}

56. Quotation Marks in Strings

{
  "login": "\"admin\"",
  "password": "\"password\""
}

57. Credentials as Nested Arrays

{
  "login": [["admin"]],
  "password": [["password"]]
}

58. Credentials as Nested Objects

{
  "login": {"username": {"value": "admin", "password": {"password": {"value": "password"}}}
}

59. Keys as Numbers

{
  123: "admin",
  456: "password"
}

60. Testing with Greater Than and Less Than Signs

{
  "login": "admin>1",
  "password": "alert('hi')",
  "password": "password"
}

85. Negative Numbers as Strings

{
  "login": "-123",
  "password": "-456"
}

86. Values as URLs

{
  "login": "https://admin.com",
  "password": "https://password.com"
}

87. Strings with Email Format

{
  "login": "admin@admin.com",
  "password": "password@password.com"
}

88. Strings with IP Address Format

{
  "login": "192.0.2.0",
  "password": "203.0.113.0"
}

89. Strings with Date Format

{
  "login": "2023-08-03",
  "password": "2023-08-04"
}

90. JSON with Exponential Values

{
  "login": 1e+30,
  "password": 1e+30
}

91. JSON with Negative Exponential Values

{
  "login": -1e+30,
  "password": -1e+30
}

92. Using Zero Width Space (U+200B) in Strings

{
  "login": "admin\u200B",
  "password": "password\u200B"
}

93. Using Zero Width Joiner (U+200D) in Strings

{
  "login": "admin\u200D",
  "password": "password\u200D"
}

94. JSON with Extremely Large Numbers

{
  "login": 12345678901234567890,
  "password": 12345678901234567890
}

95. Strings with Backspace Characters

{
  "login": "admin\b",
  "password": "password\b"
}

96. Test with Emoji in Strings

{
  "login": "admin😀",
  "password": "password😀"
}

97. JSON with Comments (Note: Comments are not officially supported in JSON)

{
  /*"login": "admin", "password": "password"*/
}

98. JSON with Base64 Encoded Values

{
  "login": "YWRtaW4=",
  "password": "cGFzc3dvcmQ="
}

99. Including Null Byte Character (May cause truncation)

{
  "login": "admin\0",
  "password": "password\0"
}

100. JSON with Credentials in Scientific Notation

{
  "login": 1e100,
  "password": 1e100
}

102. Strings with Octal Values

{
  "login": "\141\144\155\151\156",
  "password": "\160\141\163\163\167\157\162\144"
}

103. Writeup Test Case

{
  "root": {
    "username": "admin",
    "password": "admin"
  }
}

104. Writeup Test Case (Alternate Format)

{
  "basic": "username=admin username[]=admin username[0]=admin username=admin&username=admin delete username=admin"
}

PreviousExtra NextAPI Authorization

Last updated 1 year ago

hashtag1. Basic Credentials

hashtag2. Empty Credentials

hashtag3. Null Values

hashtag4. Credentials as Numbers

hashtag6. Credentials as Booleans

hashtag7. Credentials as Arrays

hashtag8. Credentials as Objects

hashtag9. Special Characters in Credentials

hashtag10. SQL Injection

hashtag11. HTML Tags in Credentials

hashtag12. Unicode in Credentials

hashtag13. Credentials with Escape Characters

hashtag14. Credentials with White Space

hashtag15. Overlong Values

hashtag16. Malformed JSON (Missing Brace)

hashtag17. Malformed JSON (Extra Comma)

hashtag18. Missing Login Key

hashtag19. Missing Password Key

hashtag20. Swapped Key Values

hashtag21. Extra Keys

hashtag22. Missing Colon

hashtag23. Invalid Boolean as Credentials

hashtag25. All Keys, No Values

hashtag26. Nested Objects

hashtag27. Case Sensitivity Testing

hashtag28. Login as a Number, Password as a String

hashtag29. Login as a String, Password as a Number

hashtag30. Repeated Keys

hashtag31. Single Quotes Instead of Double

hashtag33. Login and Password with Only Special Characters

hashtag34. Unicode Escape Sequence

hashtag35. Value as Object Instead of String

hashtag37. Nonexistent Variables as Values

hashtag38. Extra Nested Objects

hashtag39. Hexadecimal Values

hashtag40. Extra Symbols After Valid JSON

hashtag41. Only Keys, Without Values

hashtag42. Insertion of Control Characters

hashtag43. Long Unicode Strings

hashtag44. Newline Characters in Strings

hashtag45. Tab Characters in Strings

hashtag46. Test with HTML Content in Strings

hashtag47. JSON Injection in Strings

hashtag48. Test with XML Content in Strings

hashtag49. Combination of Number, Strings, and Special Characters

hashtag50. Use of Environment Variables

hashtag51. Backslashes in Strings

hashtag52. Long Strings of Special Characters

hashtag53. Empty Key in JSON

hashtag55. JSON Injection in Key

hashtag56. Quotation Marks in Strings

hashtag57. Credentials as Nested Arrays

hashtag58. Credentials as Nested Objects

hashtag59. Keys as Numbers

hashtag60. Testing with Greater Than and Less Than Signs

hashtag85. Negative Numbers as Strings

hashtag86. Values as URLs

hashtag87. Strings with Email Format

hashtag88. Strings with IP Address Format

hashtag89. Strings with Date Format

hashtag90. JSON with Exponential Values

hashtag91. JSON with Negative Exponential Values

hashtag92. Using Zero Width Space (U+200B) in Strings

hashtag93. Using Zero Width Joiner (U+200D) in Strings

hashtag94. JSON with Extremely Large Numbers

hashtag95. Strings with Backspace Characters

hashtag96. Test with Emoji in Strings

hashtag97. JSON with Comments (Note: Comments are not officially supported in JSON)

hashtag98. JSON with Base64 Encoded Values

hashtag99. Including Null Byte Character (May cause truncation)

hashtag100. JSON with Credentials in Scientific Notation

hashtag102. Strings with Octal Values

hashtag103. Writeup Test Case

hashtag104. Writeup Test Case (Alternate Format)

1. Basic Credentials

2. Empty Credentials

3. Null Values

4. Credentials as Numbers

6. Credentials as Booleans

7. Credentials as Arrays

8. Credentials as Objects

9. Special Characters in Credentials

10. SQL Injection

11. HTML Tags in Credentials

12. Unicode in Credentials

13. Credentials with Escape Characters

14. Credentials with White Space

15. Overlong Values

16. Malformed JSON (Missing Brace)

17. Malformed JSON (Extra Comma)

18. Missing Login Key

19. Missing Password Key

20. Swapped Key Values

21. Extra Keys

22. Missing Colon

23. Invalid Boolean as Credentials

25. All Keys, No Values

26. Nested Objects

27. Case Sensitivity Testing

28. Login as a Number, Password as a String

29. Login as a String, Password as a Number

30. Repeated Keys

31. Single Quotes Instead of Double

33. Login and Password with Only Special Characters

34. Unicode Escape Sequence

35. Value as Object Instead of String

37. Nonexistent Variables as Values

38. Extra Nested Objects

39. Hexadecimal Values

40. Extra Symbols After Valid JSON

41. Only Keys, Without Values

42. Insertion of Control Characters

43. Long Unicode Strings

44. Newline Characters in Strings

45. Tab Characters in Strings

46. Test with HTML Content in Strings

47. JSON Injection in Strings

48. Test with XML Content in Strings

49. Combination of Number, Strings, and Special Characters

50. Use of Environment Variables

51. Backslashes in Strings

52. Long Strings of Special Characters

53. Empty Key in JSON

55. JSON Injection in Key

56. Quotation Marks in Strings

57. Credentials as Nested Arrays

58. Credentials as Nested Objects

59. Keys as Numbers

60. Testing with Greater Than and Less Than Signs

85. Negative Numbers as Strings

86. Values as URLs

87. Strings with Email Format

88. Strings with IP Address Format

89. Strings with Date Format

90. JSON with Exponential Values

91. JSON with Negative Exponential Values

92. Using Zero Width Space (U+200B) in Strings

93. Using Zero Width Joiner (U+200D) in Strings

94. JSON with Extremely Large Numbers

95. Strings with Backspace Characters

96. Test with Emoji in Strings

97. JSON with Comments (Note: Comments are not officially supported in JSON)

98. JSON with Base64 Encoded Values

99. Including Null Byte Character (May cause truncation)

100. JSON with Credentials in Scientific Notation

102. Strings with Octal Values

103. Writeup Test Case

104. Writeup Test Case (Alternate Format)