I have to test a websystem if it is vulnerable to SQLI. I use sqlmap. I have some POST- and GET-requests with a lot of parameters. My question is when I have to use the -p parameter? I don't want to extract all parameters from the requests. To time consuming. I guess I don't need to set the -p parameter, if I want to test all parameters.
Related
i want to check 500 domains....does rdap support a way to do it in one api call or do I have to do each domain individually?
$ for in in {1..10}; do curl https://rdap.verisign.com/com/v1/domain/chovy.com -s | jq -r '.events[] | select(.eventAction | contains("expiration")) | .eventDate'; done
No.
See RFC7482:
3.1. Lookup Path Segment Specification
A simple lookup to determine if an object exists (or not)
RDAP is JSON over HTTPS in a REST fashion. So you query for one "object", be it a domain, a host, a contact, or other things (RDAP is not only used for domain name registries but also IP ones).
There is search in RDAP (see section 3.2 in above RFC) and also various drafts about extensions (regular expressions, etc.) to be able to do a query that gets back potentially multiple results. However no registries in production enable that, and you can easily imagine that very few will, especially through public access.
Please note:
you do not need to do your queries sequentially in case of large batches, you can use threads or multiple processes
if you are not cautious (in limiting your requests) you will get at least rate limited if not completely banned for some time.
i want to extract some token named, "encryptedstr" from jmeter request body. That token is not available in the response of any other previous requests.
The sampler is just after login.
How can i extract from request body? or is it related to login encryption?
I don't think you need to extract the variable from the request as it makes no any sense.
I believe you need to generate this parameter somehow, looking into its name I would assume that it contains encrypted request data parameters so it might be the case you need to use __digest() function or if the encryption logic is more complex - use JSR223 PreProcessor and Groovy language for calculating the parameter value.
With regards to encryption algorithm - contact your application developers or use browser developer tools to inspect the corresponding JavaScript function.
How can I mock the ngx object and test my Lua files?
For example, let's say I have
-- file.lua
function computeUpstream()
-- advanced calculations!
return theCalculatedUpstream
end
ngx.var.upstream = computeUpstream()
And I want to test this file. How do I do that?
IMO the best solution is to use official OpenResty Docker images, run your configuration within container and test by series of HTTP request.
Using Docker (and may be docker-compose) one may simulate a whole infrastructure of tested application, mock backends, database with initial content, etc.
After some tests and tries you will find a way for good enough code coverage.
I am trying to have jmeter run the same exact tests (same threads, assertions, etc.) on multiple servers, is it possible to do this without defining seperate HTTP Request objects for each one? I have tried setting up multiple HTTP Config elements but this does not work.
Thank you
Easiest and functional way is to set CSV file with list of hosts you want to run the tests on, then use CSV Data Set Config (Add -> Config Element) to load this file and set a variable name to something like hostname or whatever. Then add HTTP Request Defaults element and set 'Servername or IP' to that ${hostname} and you pretty much set-up. Now you just need to set Thread Group's 'Number of Threads' to the number of hosts you are trying to check so it will add a different variable from the file to each thread.
The only thing you have to remember is to put your CSV Data Set Config before the requests, at the beginning of the thread or (if you want to use it with larger name of threads) before the Thread Groups. And of course to change the number of threads to run it for each host/IP.
I've tested it a minute ago and it works for sure.
I have to develop a security testing framework to make sure all output in our application is encoded.
I have many post & get http requests
Each request may have 1 or many parameters
What I wanted to do with JMeter:
I need to test each parameter individualy by changing the value to a string. So if I have 2 requests, 5 parameters each
I will have to run 5 times. In addition I will have an assertion point to validate response data.
Some ideas I had was to record all the http requests.From the JMX file create a spreadsheet with request details, parameter & value. Go through the list and modify each value to my string value CANARY123!##$%^&(. Then verify that the response data does not contain CANARY123!##$%^&( and that in fact it came back encoded. Run test for each data row.
also thought these might be useful: counters, reg expression, user variables...
Should I use JMeter for this task? If so, how? Should I use something like Burp Suite?
I'd recommend using a security tool which specialises in this sort of thing - they will check for more than just encoding.
Burp is very good, but the free version doesnt include automated scanning.
I'd recommend also looking at OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
I know a lot of people/companies using ZAP as an automated part of CI: theres some more info about this here: http://code.google.com/p/zaproxy/wiki/SecRegTests
Simon (ZAP Project Lead)
you can typically use CSV Dataset that will contain parameters to be sent and test with assertions they are escaped.
Read:
http://jmeter.apache.org/usermanual/test_plan.html
http://jmeter.apache.org/usermanual/component_reference.html