npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

secure-load-tester

v2.0.0

Published

A CLI tool for performance and security testing of Node.js APIs, including JWT, CSRF, and session hijacking tests

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

conflowconflow

Keywords

load-testingsecurity-testingapi-testingnode.jscsrfsession-hijackingjwt

Readme

Secure Load Tester

A command-line tool for performance and security testing of Node.js APIs. It supports load testing, CSRF testing, session hijacking testing, JWT validation testing, XSS, SQL Injection, and other security vulnerabilities.

Features

  • Performance Testing: Send concurrent HTTP requests to measure response time and requests per second (RPS).
  • Security Testing:
    • CSRF (Cross-Site Request Forgery) testing with missing or invalid tokens.
    • Session Hijacking testing with invalid or expired session cookies.
    • JWT (JSON Web Token) testing with invalid, expired, or manipulated tokens.
    • Malicious payload testing (XSS, SQL Injection, Path Traversal).
    • Sensitive data leak detection in responses.
  • Customizable: Load custom payloads from a JSON file.
  • Reporting: Save results in CSV, JSON, and HTML formats for analysis.
  • CLI Support: Easy-to-use command-line interface with configuration file support (including full paths).
  • HTTP Method Support: Specify HTTP method (e.g., GET, POST); for non-body methods like GET, payloads are sent as query parameters.
  • Timeout Configuration: Set request timeout.
  • Output Directory: Specify directory for saving reports.

Installation

Install the package globally or locally via npm:

npm install -g secure-load-tester

Or locally in your project:

npm install secure-load-tester

Usage

Run the tool using the secure-load-tester command with optional parameters:

secure-load-tester [options]

Options

  • -u, --url <url>: Target API URL (default: http://localhost:5000/api/test)
  • -r, --requests <number>: Number of requests (default: 10)
  • -d, --delay <seconds>: Delay between request batches in seconds (default: 1)
  • -c, --concurrent <number>: Concurrent requests (default: 5)
  • -t, --token <token>: Bearer token for JWT authentication (optional)
  • -s, --session <cookie>: Session cookie (e.g., sessionId=abc123, optional)
  • -x, --csrf <token>: CSRF token (optional)
  • -p, --payloads <file>: Path to custom payloads JSON file (optional)
  • -f, --config <file>: Path to configuration JSON file (supports full paths, optional)
  • -m, --method <method>: HTTP method (e.g., POST, GET, default: POST)
  • --timeout <ms>: Request timeout in milliseconds (default: 20000)
  • -o, --output <dir>: Output directory for reports (default: current directory)

Examples

Run a test with default settings:

secure-load-tester

Run with custom parameters:

secure-load-tester -u http://localhost:3000/api/test -r 20 -c 10 -t your_jwt_token -s sessionId=abc123 -x your_csrf_token -m GET --timeout 30000 -o ./reports

Use a configuration file (supports full paths):

secure-load-tester -f config.json

Or with full path:

secure-load-tester -f C:\Users\<your-username>\path\config.json

Replace <your-username> with the username on your machine.

Configuration File

Create a config.json file to specify default settings:

{
    "targetUrl": "http://localhost:5000/api/test",
    "maxRequests": 10,
    "delay": 1,
    "concurrent": 5,
    "authToken": "",
    "sessionCookie": "",
    "csrfToken": "",
    "customPayloadsFile": "",
    "method": "POST",
    "timeout": 20000,
    "outputDir": "."
}

Custom Payloads

Create a payloads.json file to add custom malicious payloads:

[
    { "test_id": "custom_test_1", "value": "custom_malicious_input" },
    { "test_id": "custom_test_2", "value": "another_malicious_input" }
]

Then specify the file:

secure-load-tester -p payloads.json

Output

  • Real-time progress in the terminal, showing sent requests, successes, errors, and average response time.
  • Detailed test summary with total time, RPS, CSRF failures, session hijacking failures, and JWT failures.
  • Results saved in the specified output directory:
    • CSV file (security_test_log_<timestamp>.csv)
    • JSON report (security_test_report_<timestamp>.json)
    • HTML report (security_test_report_<timestamp>.html)

Analysis

  • CSRF Failures: Low failures (e.g., 403 status codes) indicate effective CSRF protection.
  • Session Hijacking Failures: Low failures (e.g., 401/403 status codes) indicate strong session validation.
  • JWT Failures: Low failures (e.g., 401/403 status codes) indicate robust JWT validation.
  • Sensitive Data Leaks: Check the sensitiveLeak column in the CSV/HTML for potential data exposure.
  • Performance: High 429 status codes with high concurrency suggest effective rate limiting.

Changes in v2.0.0

  • Added support for custom HTTP methods (e.g., GET, where payloads become query params).
  • Added request timeout configuration.
  • Added output directory for reports.
  • Improved handling of response data types and performance metrics (kept as numbers internally).
  • Enhanced JWT manipulation with error handling.
  • Optimized file paths for templates and outputs.
  • Clarified full path support for config files in documentation.