Most of what I do involves the messy world of text, and I think this is a great resource. I wish the software I depended on tested against it.
I can think of a few more cases that I've seen cause havoc:
- U+FEFF in the middle of a string (people are used to seeing it at the beginning of a string, because Microsoft, but elsewhere it may be more surprising)
- U+0 (it's encoded as the null byte!)
- U+1B (the codepoint for "escape")
- U+85 (Python's "codecs" module thinks this is a newline, while the "io" module and the Python 3 standard library don't)
- U+2028 and U+2029 (even weirder linebreaks that cause disagreement when used in JSON literals)
- A glyph with a million combining marks on it, but not in NFC order (do your Unicode algorithms use insertion sort?)
- The sequence U+100000 U+010000 (triggers a weird bug in Python 3.2 only)
- "Forbidden" strings that are still encodable, such as U+FFFF, U+1FFFF, and for some reason U+FDD0
People should also test what happens with isolated surrogate codepoints, such as U+D800. But these can't properly be encoded in UTF-8, so I guess don't put them in the BLNS. (If you put the fake UTF-8 for them in a file, the best thing for a program to do would be to give up on reading the file.)
Isolated UTF-16 surrogate code points definitely crash Unity when it tries to display them. (Seen when I pasted some emoji in a text box in TIS-100 and tried to backspace.)
It's supposed to be reserved for applications. In practice... you may see them in the wild anyway. So it's important that they show up in test vectors!
One fun (and very interesting) string is EICAR[0]. I worked for an antivirus company once and we had the EICAR string for testing but couldn't check it into source control because it triggered the AV software which we dogfooded...
Interestingly, I found what caused the false-negative. If I used Vim to create the file, it was picked up. If I "echo ...EICAR > text.txt" it doesn't get picked up, at least not immediately!
The on-access scanner intercepts requests to open files, and scans them. Echo just writes to the file and closes it. It doesn't try to open it again once the EICAR string is in there. I'm speculating here, but Vim probably writes the file/buffer, flushes, and then tries to obtain a file handle to it. At that point an on-access scan will occur, and it will find the EICAR string.
Fun times indeed. Windows defender picks up a test.txt with those contents as malicious (and closes the file handle causing Notepad to misbehave) but if you add a space between EI and CAR it doesn't see anything.
Edit: Seriously, Microsoft?
Category: Virus
Description: This program is dangerous and replicates by infecting other files.
Recommended action: Remove this software immediately.
Microsoft is doing the right thing. The whole point of that string is to trigger such behaviour. It's so you can use it to test that your antivirus is working.
Yes. Otherwise the only way to verify an anti malware system is working is with something actually malicious. So, you know, that's a bad plan. Think of system administrators deploying and validating a security package.
>Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in exactly the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured.
Yeah, I would make the SQL injection and command injections test a little less kinetic =). Using a simple SELECT test, like SELECT @@VERSION, would be a little safer... Edit: Forget to say thanks! This is a pretty cool list.
Not necessarily. If you do a test with good SQL and a second test with SQL Injection and compare the responses that can show SQL Injection exists without having to change the database. This won't work for all SQL injection tests, but I would rather take this approach first.
It's not completely clear to me which encoding the blns.txt file uses. Since this project is all about weird/evil bytestrings, the encoding of the file itself is very important.
Using a newline as a delimiter in that file excludes newlines from being part of the strings you are testing - but newlines are an important "naughty" character to consider. Unfortunately the same is true of basically any other common delimiter character.
Maybe base64-encoding the strings would be one way to solve for this? You could use base64-encoded values in JSON, for example.
Fair question. Encoding is UTF-8. This is fine for time being since UTF-8 is ubiquitous.
I had it set as UTF-16 for the two-byte characters when first writing it, but that had caused issues. If there is a demand, a second list can be added.
for anyone testing web sites, I built a chrome extension that makes things like this available in the right-click menu [1]
the code is on github, so it can be easily extended [2]
Yeah, the other exploit strings do innocuous stuff like putting up javascript alerts or touching files, but the SQL injection ones aren't innocuous at all. I wonder if there's something better to replace those with. Something like `1'; CREATE TABLE blns ...--` would be more akin to what the shell exploits do.
Wouldn't it make more sense to define building blocks and automatically generate all sensible combinations? Otherwise I don't think this list can be managed by hand, especially not in a volunteer project.
You'd do better with "הבה נרדה ונבלה שם שפתם אשר לא ישמעו איש שפת ראהו" (Genesis 11:7)
That's God saying he will make multiple languages to confuse everyone...
The list seems to be missing the simplest naughty string of all: The empty string!
(Well, the text file has empty lines separating the comments and example strings so it technically includes the empty string, but it's not in the JSON file.)
Is the scope just well-formed strings or would you consider adding binary nasties like null bytes, mal-encoded characters, or even just newlines on their own?
What about XML billion laughs strings, or parser-busting very long runs of parentheses?
Nice; sort of a programming complement to Shutterstock's _List of Dirty, Naughty, Obscene, and Otherwise Bad Words_[0]. So helpful to have a bunch of minds working on useful lists like this. Good to see that GitHub passes this test!
I worked on a swear filter at a previous job. Not quite sure how this list could benefit anyone really unless you are matching a whole string e.g. title of a photo rather than words in the title of a photo.
There are so many creative ways to get around swearing. Replace letters with numbers, drop consonants and vowels. And you almost always need to check for word boundaries otherwise somebody from Scunthorpe might be upset you banned them. And then there are cases where word boundaries aren't enough. Good luck ;-)
I doubt the value of this repository. The first naughty French word "allumé" can't be considered naughty, dirty, or bad, like, at all. And many others are not naughty under too many circumstances...
Except very few swear words, word filtering is pretty much useless.
* How could this be used to test 'corrupt' characters? Isn't the process of savign the file itself as UTF-8 un-corrupt...the file?
* Is there some recommended way to group these into "strings that should pass validation" versus "strings that should fail"... or is that too application-specific?
If you really intend this for use in testing, I'd suggest making the injections less nasty. I could easily see a junior dev slapping this in and deleting some important stuff.
I'd also add more invalid UTF encodings and embedded null bytes, etc. The JSON format would be preferable to plain text for that though.
I was actually inspired by the concept that lovecraftian horrors can be accessed and interacted with programmatically, prominently featured in Stross's Atrocity Archives: https://en.wikipedia.org/wiki/The_Atrocity_Archives
/dev/urandom can also be used as a source of random and unusual input data, as it contains by definition all 256 byte values and 65536 2-byte values, 16M 3-byte values, etc., and should eventually output every possible string.
I absolutely love strange unicode strings. It's handy if you ever want to find out what a server's running. One time, I put a bunch of emoji's in a GET param of a Google site, then got a big Java error page. I had no idea Google ran Java.
I don't recall exactly where this was, but I know I've worked with an API before that sometimes dropped requests, and it was because some randomly generated data included 'naughty text' like 'xxx', or profanity. I was expecting a dataset intended to catch this problem...
I can think of a few more cases that I've seen cause havoc:
- U+FEFF in the middle of a string (people are used to seeing it at the beginning of a string, because Microsoft, but elsewhere it may be more surprising)
- U+0 (it's encoded as the null byte!)
- U+1B (the codepoint for "escape")
- U+85 (Python's "codecs" module thinks this is a newline, while the "io" module and the Python 3 standard library don't)
- U+2028 and U+2029 (even weirder linebreaks that cause disagreement when used in JSON literals)
- A glyph with a million combining marks on it, but not in NFC order (do your Unicode algorithms use insertion sort?)
- The sequence U+100000 U+010000 (triggers a weird bug in Python 3.2 only)
- "Forbidden" strings that are still encodable, such as U+FFFF, U+1FFFF, and for some reason U+FDD0
People should also test what happens with isolated surrogate codepoints, such as U+D800. But these can't properly be encoded in UTF-8, so I guess don't put them in the BLNS. (If you put the fake UTF-8 for them in a file, the best thing for a program to do would be to give up on reading the file.)