I have to develop a security testing framework to make sure all output in our application is encoded.
I have many post & get http requests
Each request may have 1 or many parameters
What I wanted to do with JMeter:
I need to test each parameter individualy by changing the value to a string. So if I have 2 requests, 5 parameters each
I will have to run 5 times. In addition I will have an assertion point to validate response data.
Some ideas I had was to record all the http requests.From the JMX file create a spreadsheet with request details, parameter & value. Go through the list and modify each value to my string value CANARY123!##$%^&(. Then verify that the response data does not contain CANARY123!##$%^&( and that in fact it came back encoded. Run test for each data row.
also thought these might be useful: counters, reg expression, user variables...
Should I use JMeter for this task? If so, how? Should I use something like Burp Suite?
I'd recommend using a security tool which specialises in this sort of thing - they will check for more than just encoding.
Burp is very good, but the free version doesnt include automated scanning.
I'd recommend also looking at OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
I know a lot of people/companies using ZAP as an automated part of CI: theres some more info about this here: http://code.google.com/p/zaproxy/wiki/SecRegTests
Simon (ZAP Project Lead)
you can typically use CSV Dataset that will contain parameters to be sent and test with assertions they are escaped.
Read:
http://jmeter.apache.org/usermanual/test_plan.html
http://jmeter.apache.org/usermanual/component_reference.html
Related
i want to extract some token named, "encryptedstr" from jmeter request body. That token is not available in the response of any other previous requests.
The sampler is just after login.
How can i extract from request body? or is it related to login encryption?
I don't think you need to extract the variable from the request as it makes no any sense.
I believe you need to generate this parameter somehow, looking into its name I would assume that it contains encrypted request data parameters so it might be the case you need to use __digest() function or if the encryption logic is more complex - use JSR223 PreProcessor and Groovy language for calculating the parameter value.
With regards to encryption algorithm - contact your application developers or use browser developer tools to inspect the corresponding JavaScript function.
I am trying to create a Jmeter script for my project, which includes simple login and logout flow. I recorded the script using Chrome Extension "Blazemeter," found under the login http sampler with post method sending below data in the body.
{"username":"U2FsdGVkX1/NOa/KQxSdikbkXsT8M5bF4K2oSVx/zTBAvyymJ93co+10eUT0cZuJ","password":"U2FsdGVkX183cvN9kZZiv5HRtrV/Z0ZwB89YenArxtA="}
When I replay the script in Jmeter, it is throwing this error:
{"not_auth":"Invalid credentials. Please try again"}
I tried giving the actual credentials but didn't work for me.
Can anyone please help me with this issue? This dynamic value is generated at the browser end and I can not find any dynamic value in previous response.
Record your login flow once again and check username and password values.
If they are the same as for the first recording - the problem lives somewhere else and you will need to figure out what are the differences between requests your JMeter test sends and the requests which are being sent by real browser. I would suggest comparing both using a sniffer tool like Wireshark in order to be able to detect and work around the differences.
If they are different each time you will need to find out what algorithm is being used for encrypting username and password, most likely it is being done by JavaScript directly in the browser so you should be able to figure that out and either re-use or re-implement in JSR223 PreProcessor. For example, your username and password look utterly like Base64-encoded strings so I tried to decode them using Groovy built-in decoding methods but unfortunately it is encrypted with something else in addition
Check out Groovy Is the New Black article for more information on using Groovy in JMeter scripts.
What are some good automated tools for load testing (stress testing) web applications, that do not use record and replay of HTTP network packets?
I am aware that there are numerous load testing tools on the market that record and replay HTTP network packets. But these are unsuitable for my purpose, because of this:
The HTTP packet format changes very often in our application (e.g. when
we optimize an AJAX call). We do not want to adapt all test scripts just because
there is a slight change in HTTP packet format.
Our test team shall not need to know any internals about our application
to write their test scripts. A tool that replays HTTP packets, however, requires
the team to know the format of HTTP requests and responses, such that they
can adapt details of the replayed HTTP packets (e.g. user name).
The automated load testing tool I am looking for should be able to let the test team write "black box" test scripts such as:
Invoke web page at URL http://... .
First, enter XXX into text field XXX.
Then, press button XXX.
Wait until response has been received from web server.
Verify that text field XXX now contains the text XXX.
The tool should be able to simulate up to several 1000 users, and it should be compatible with web applications using ASP.NET and AJAX.
JMeter I've found to be pretty helpful, it also has a recording functionality to record use cases so you don't have to specify each GET/POST manually but rather "click" the use case once and then let JMeter repeat it.
http://jmeter.apache.org/
A license can be expensive for it (if you dont have MSDN), but Visual Studio 2010 Ultimate edition has a great set of load and stress testing tools that do what you describe. You can try it out for free for 90 days here.
TestMaker by PushToTest.com can run recorded scripts such as Selenium as well as many different languages like HTML, Java, Ruby, Groovy, .Net, VB, PHP, etc. It has a common reporting infrastructure and you can create load in your test lab or using cloud testing environments like EC2 for virtual test labs.
They provide free webinars on using open source testing tools on a monthly basis and there is one next Tuesday.
http://www.pushtotest.com
There are a few approaches; I've been in situations, however, where I've had to roll my own load generating utilities.
As far as your test script is concerned it involves:
sending a GET request to http://form entry page (only checking if a 200 response is given)
sending a POST request to http://form submit page with pre-generated key/value pairs for text XXX and performing a regexp check on the response
Unless your web page is complex AJAX there is no need to "simulate a button press" - this is taken care of by the POST request.
Given that your test consists of just a 2-step process there should be several automated load packages that could do this.
I've previously used httperf for load testing a large website: it can simulate a session consisting of several requests and can simulate a large number of users (i.e. sessions) simultaneously. For example, if your website generated a session cookie from the home page you could make that the first request, httperf would then use that cookie for subsequent requests, until it had finished doing the list of requests supplied.
What about http://watin.sourceforge.net/ ?
I'm writing a simple HTTP server which should play nicely with most clients, but is only meant to implement a subset of HTTP 1.1.
During development it would be nice to be able to validate that the generated HTTP reponses are HTTP 1.1 compliant. Is there a tool that can do something along those lines?
Thanks /Erik
It's not a complete conformance suite, but RED does check for a number of different HTTP requirements, and finds common problems.
http://redbot.org/
You could just write unit test cases using any http client library. Make GET and POST requests to your webserver, parse the response and make assertions. As you add additional features, add more test cases.
For example, lets say you only support url-encoded POST requests. So, you write a test case which verifies your server understands url-encoded requests and responds appropriately. Tomorrow, when you add support for multi-part support - that would be another test case altogether.
Every programming language under the sun has good support for HTTP, so writing the test case is a no-brainer.
I would like to write a script that logs into hotmail and changes the first and last name. I am thinking of perl for this, although I imagine that any language would do.
How do I find out what requests to make? I'm guessing that I can do the change requests manually, determine what http requests are being sent to/from the server, determine what pattern is being sent, and then attempt to generate a similar pattern (substituting in the changes I want) in my script.
I took a look at ethereal, but I get a message "the installer is corrupted". I'm going to look at "Advanced http packet sniffer" next - anyone have experience with this tool?
Yes you can use Perl (or any languages with modules that support HTTP(S) ). And you can use libraries already made by people. Eg WWW::Hotmail or Hotwayd. Search CPAN for more of those modules as well.