Skip to main content

Payload Generators

Generators produce attack payloads via the $generate directive. They implement the PayloadGenerator trait and support lazy evaluation - factory objects are created at config load time, bytes are generated at response time.

See TJ-SPEC-005 for the formal specification.

Generator types

nested_json

Produces deeply nested JSON structures for parser stack exhaustion.

$generate:
  type: nested_json
  depth: 50000
  structure: object
ParameterTypeDefaultDescription
depthinteger1000Nesting depth
structurestringobjectStructure type

Structure types:

ValueOutput
object{"a":{"a":{"a":...}}}
array[[[[...]]]]
mixedAlternating objects and arrays

Limits: Subject to max_nest_depth (default: 100,000).

garbage

Produces random byte payloads in configurable character sets.

$generate:
  type: garbage
  size: 10485760
  charset: utf8
ParameterTypeDefaultDescription
sizeinteger1024Output size in bytes
charsetstringasciiCharacter set

Character sets:

ValueCharacters
asciiPrintable ASCII (0x20–0x7E)
utf8Valid UTF-8 multibyte sequences
binaryRaw bytes (0x00–0xFF)
numericDigits (0–9)
alphanumericLetters and digits

Limits: Subject to max_payload_bytes (default: 100 MB).

batch_notifications

Produces a JSON-RPC batch array of MCP notifications for amplification attacks.

$generate:
  type: batch_notifications
  count: 10000
  method: "notifications/message"
ParameterTypeDefaultDescription
countinteger100Number of notifications in batch
methodstringnotifications/messageNotification method name

Limits: Subject to max_batch_size (default: 100,000).

repeated_keys

Produces a JSON object with duplicate keys for hash collision attacks.

$generate:
  type: repeated_keys
  count: 100000
  key_length: 8
ParameterTypeDefaultDescription
countinteger1000Number of duplicate keys
key_lengthinteger8Length of each key string

Limits: Subject to max_payload_bytes.

unicode_spam

Produces Unicode abuse payloads for display corruption and rendering attacks.

$generate:
  type: unicode_spam
  size: 4096
  categories:
    - zero_width
    - rtl
ParameterTypeDefaultDescription
sizeinteger1024Approximate output size in bytes
categoriesarrayallUnicode categories to include

Unicode categories:

ValueCharactersEffect
zero_widthU+200B, U+200C, U+200D, U+FEFFInvisible characters
homoglyphCyrillic/Greek lookalikesVisual spoofing
combiningU+0300–U+036FStacked diacritical marks
rtlU+202E, U+202D, U+2066Text direction override
emojiVarious emoji sequencesRendering complexity

Limits: Subject to max_payload_bytes.

ansi_escape

Produces ANSI escape sequences for terminal injection attacks.

$generate:
  type: ansi_escape
  sequences:
    - title
    - hyperlink
    - cursor_move
ParameterTypeDefaultDescription
sequencesarrayallSequence types to include

Sequence types:

ValueEscapeEffect
cursor_move\x1b[H, \x1b[2JMove cursor, clear screen
color\x1b[31mChange text colors
title\x1b]0;...\x07Set terminal title
hyperlink\x1b]8;;...\x07OSC 8 hyperlinks
clear\x1b[2J, \x1b[3JClear screen/scrollback

Limits

All generators respect hardcoded limits:

LimitDefault
Max payload size100 MB
Max nesting depth100,000
Max batch size100,000

Limits are validated in the generator constructor. Exceeding a limit causes a runtime error (exit code 10).

Streaming

Payloads larger than 1 MB (the STREAMING_THRESHOLD) are generated as streams via the PayloadStream trait. Streaming generates chunks incrementally instead of buffering the entire payload in memory.

The GeneratedPayload enum has two variants:

  • Buffered(Vec<u8>) - small payloads held in memory
  • Streamed(Box<dyn PayloadStream>) - large payloads yielded incrementally

Determinism

Generators that use randomness accept an optional seed parameter. Given the same seed, a generator produces identical output. This is useful for reproducible testing.

$generate:
  type: garbage
  size: 1024
  charset: ascii
  seed: 42

See also