What it is
Big List of Naughty Strings is a collection of input strings likely to expose bugs in user-input handling. It includes Unicode edge cases, unusual spaces, quotes, control characters, SQL-like strings, HTML, long values, and other troublesome data.
The repository appeared in 2015 and became a practical QA tool. Its idea is simple: even systems with automated tests miss strange input, so teams should test forms and APIs with a known set of difficult values.
What is inside the repository
Inside are `blns.txt` for manual reading and copy-paste, `blns.json` for programmatic use, and scripts that generate the JSON file. Comments divide strings into sections so testers know what kind of issue they are exploring.
Automated test with several strings
This example sends difficult values through an endpoint and checks that the system responds predictably without crashing or corrupting data.
naughty_strings = ["<script>alert(1)</script>", "\u200b", "Robert'); DROP TABLE students;--"]
for value in naughty_strings:
response = client.post("/profile", json={"name": value})
assert response.status_code in (200, 400)Where it is useful
The list is useful for registration forms, profiles, search, CSV import, comments, payment fields, and anywhere user text crosses several layers such as templates, databases, logs, and serializers.
Strengths and limits
Some values resemble malicious input, so they should only be used on systems you own or are authorized to test. The list is not a full security audit, but it is very good at finding robustness and validation problems.