i want to extract some token named, "encryptedstr" from jmeter request body. That token is not available in the response of any other previous requests.
The sampler is just after login.
How can i extract from request body? or is it related to login encryption?
I don't think you need to extract the variable from the request as it makes no any sense.
I believe you need to generate this parameter somehow, looking into its name I would assume that it contains encrypted request data parameters so it might be the case you need to use __digest() function or if the encryption logic is more complex - use JSR223 PreProcessor and Groovy language for calculating the parameter value.
With regards to encryption algorithm - contact your application developers or use browser developer tools to inspect the corresponding JavaScript function.
Related
Perhaps a partial duplicate of What is the correct http verb for a Download in a REST API? , though that is referring to a file download specifically.
In terms of CRUD operations, POST is the recommended HTTP verb for creating a resource. Does this still apply to creating resources, even if those resources are not persisted on the server? (i.e. stored in a database or similar) For example, generating some code based on code the client sent or converting a file and returning it to the client.
With such types of functionality, the server has indeed "created" something, though only in passing, returning or streaming it to the client, and not storing it in the traditional CRUD sense. I've always used POST for such functionality, but now I'm starting to double guess myself and think that those could have been GET endpoints the whole time.
Seems like a weird gray area in which neither HTTP verbs GET or POST completely match.
Is POST the correct HTTP verb for resources that are produced by but not stored by the server?
Yes - or alternatively, it's the least incorrect choice to use.
POST serves many useful purposes in HTTP, including the general purpose of “this action isn’t worth standardizing.” -- Fielding, 2009
In 2020, the HTTP-WG adopted a proposal to define a method token for "GET with a body", which would give as an alternative to POST when we want to indicate to general purpose components that the request has safe semantics, so there should eventually be some registered method that is a better fit.
There is no gray area here.
If the state of the server changes, use an unsafe method like POST. If it does not, you can use a safe methof like GET, as long as you stay within the documented limitations of GET (no request body).
If you're looking for a safe method that does take a request body, you may want to look at https://datatracker.ietf.org/doc/draft-ietf-httpbis-safe-method-w-body/.
I am trying to create a Jmeter script for my project, which includes simple login and logout flow. I recorded the script using Chrome Extension "Blazemeter," found under the login http sampler with post method sending below data in the body.
{"username":"U2FsdGVkX1/NOa/KQxSdikbkXsT8M5bF4K2oSVx/zTBAvyymJ93co+10eUT0cZuJ","password":"U2FsdGVkX183cvN9kZZiv5HRtrV/Z0ZwB89YenArxtA="}
When I replay the script in Jmeter, it is throwing this error:
{"not_auth":"Invalid credentials. Please try again"}
I tried giving the actual credentials but didn't work for me.
Can anyone please help me with this issue? This dynamic value is generated at the browser end and I can not find any dynamic value in previous response.
Record your login flow once again and check username and password values.
If they are the same as for the first recording - the problem lives somewhere else and you will need to figure out what are the differences between requests your JMeter test sends and the requests which are being sent by real browser. I would suggest comparing both using a sniffer tool like Wireshark in order to be able to detect and work around the differences.
If they are different each time you will need to find out what algorithm is being used for encrypting username and password, most likely it is being done by JavaScript directly in the browser so you should be able to figure that out and either re-use or re-implement in JSR223 PreProcessor. For example, your username and password look utterly like Base64-encoded strings so I tried to decode them using Groovy built-in decoding methods but unfortunately it is encrypted with something else in addition
Check out Groovy Is the New Black article for more information on using Groovy in JMeter scripts.
Two things:
First, am I correct that an HTTP POST can be used to retrieve existing information? If so, what is the response code?
Second, if POST can be used, what id the format of the URL in a Web.API application, and what data should be sent to the server.
Company security does not prevent using HTTP Get, but they strongly discourage it because of some sort of security issues. OTOH, I really dislike naming a method PostInformation(), when I want to GET existing information.
Thanks
am I correct that an HTTP POST can be used to retrieve existing information?
From RFC 7231, section 4.3.3:
The POST method requests that the target resource process the representation enclosed in the request according to the resource's own specific semantics.
This implies that the server changes state while not strictly requiring it. So yes, while not really encouraged, this is safe to do. As a matter of fact, many web applications have done so in the past to circumvent limitations of the GET method such as overly long URLs.
what [is] the format of the URL in a Web.API application, and what data should be sent to the server.
The URL would be the same sans the query string. If you mark the body of your request being application/x-www-form-urlencoded, you can fill it with the same string you would normally use for the query string. For more complex or binary data, you should use multipart/formdata (see this answer).
I really dislike naming a method PostInformation(), when I want to GET existing information
That is pretty much a non-issue. I understand your worries, but consider this: What you ultimately do is getting data. How you do so is an implementation detail of the protocol in use. Nothing should prevent you from naming your method PostInformation(). Besides, what were you to do if the implementation changes and you suddenly used GET instead of POST? Refactor all occurences of PostInformation() into GetInformation()?
I am working on a Web API service for our Web application (current project). One controller in the Web API will be responsible to retrieve a list of entities of a certain type. So far so good. The problem is that we have a request to filter the list based on search criteria. This search/filter criteria has about a dozen different parameters, some of which can be null. So I figured I create a custom class (let's call it "EntityFilterCriteria") and I instantiate it on the Web application side with whatever filtering fields the user enters (I leave the ones that the user do not enter set to null). Now how do I pass this object to my Web API method? I do not want to build an URL with all parameters because it's going to be a huge URL, plus some parameters may be missing. I can't have a body in the GET HTTP command to serialize my EntityFilterCriteria object so what do I use? POST? It is not really a POST because nothing is updated on the server side. It is really a GET, as in "get me all the records that match this search criteria". What is the common approach in such situations?
Thanks,
Eddie
Serialize the class to JSON and post it to your server, the JSON string will be your post body. Once it is posted you can then deserialize into a class with the same signature. Most languages have either built-in support or free 3rd party modules that can do this for you.
Well the initial danger of using GET for such a request is that the longest url you can send which is guarenteed to work across all web browsers and servers is about 1400 bytes in length.
Personally I would use JSON to encode all of your filter parameters and submit them to the server in the body of a POST command due to the lack of size limit on the sent data.
While there is a semantic difference between GET and POST commands which was intentioned when the HTTP RFC's were written decades ago, those decades of practical use have shifted rather significantly (in the same way that barely anybody uses PUT or DELETE)
I don't see any drawbacks to use a POST method to execute your query and get the result back. For example, ElasticSearch uses this approach to execute queries against the database. See this link for example: http://exploringelasticsearch.com/searching_data.html. In REST, POST isn't necessary used to update data.
Hope it helps.
Thierry
I have to develop a security testing framework to make sure all output in our application is encoded.
I have many post & get http requests
Each request may have 1 or many parameters
What I wanted to do with JMeter:
I need to test each parameter individualy by changing the value to a string. So if I have 2 requests, 5 parameters each
I will have to run 5 times. In addition I will have an assertion point to validate response data.
Some ideas I had was to record all the http requests.From the JMX file create a spreadsheet with request details, parameter & value. Go through the list and modify each value to my string value CANARY123!##$%^&(. Then verify that the response data does not contain CANARY123!##$%^&( and that in fact it came back encoded. Run test for each data row.
also thought these might be useful: counters, reg expression, user variables...
Should I use JMeter for this task? If so, how? Should I use something like Burp Suite?
I'd recommend using a security tool which specialises in this sort of thing - they will check for more than just encoding.
Burp is very good, but the free version doesnt include automated scanning.
I'd recommend also looking at OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
I know a lot of people/companies using ZAP as an automated part of CI: theres some more info about this here: http://code.google.com/p/zaproxy/wiki/SecRegTests
Simon (ZAP Project Lead)
you can typically use CSV Dataset that will contain parameters to be sent and test with assertions they are escaped.
Read:
http://jmeter.apache.org/usermanual/test_plan.html
http://jmeter.apache.org/usermanual/component_reference.html