We have an application written entirely using KSH script. Some of the GET request parameters carry sensitive data (for e.g. Username, DB name, etc.). We have been instructed to convert those requests from GET to POST. Is it possible to do that now? Please advise. Thanks.
Related
I have an API on one of our production manifacturing machines that has no documentation but the machine also has web interface. I open the interface on our internal IP that machine has - https://192.168.55.61/
So when I go to the section where I see the logs from the machines I go to console->network and I see the endpoint request performing:
When I use the URL and cookie in my Postman it works and returns an answer:
The problem is answer's format. Here I am not familiar how I should handle this and if I should put another Header for format. Is it possible to read this as you can see it returns something quite not readable. Also vendor of the machine is not willing to give me API documentation as he is insisting that something like API does not exist on machine (which is obviously a lie).
Is there any change to check something on console->network also to be able to help me to read the format?
EDIT:
Response Headers:
I am new to JMetet and I am having a lot of difficulties in understanding how it works.
I created a TC to add an object to my system using Blaze meter. Then, I imported the TC in Jmeter.
This TC fails when it should not (at least thats what I think) because whenever I use the system it works correctly:
This is the thread group if you need it to help me:
Am I doing something wrong? AM I missing something?
IMPORTANT: Should I be able to see my object added to the system if the TC passes?
As per HTTP Status Code 403 Forbidden description:
The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.
This status is similar to 401, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.
If your script assumes authentication most probably it fails somewhere somehow due to missing or improperly working correlation, for example this eedd968fe... bit
looks utterly suspicious, most probably you need to replace it with a some form of dynamic parameter extracted from the previous request using a suitable JMeter Post-Processor
Normally the flow looks like:
Open login page
Identify and extract all dynamic parameters and save them into JMeter Variables
Send the parameters along with credentials in the 2nd request
Check out Using Regular Expressions to Extract Tokens and Session IDs to Variables article for example challenge and solution
What I am trying to do:
I am trying to setup a load-test for a SAML authenticated application.
What I have done so far:
I have captured my http traffic in JMeter and setup a scenario.
I have read up on how SAML works and tried to place what I am doing wrong.
But as far as I can see my expectation is viable.
What I run into:
I am having some trouble with the correlation of the SAMLRequest/SAMLResponse values.
My Expected results vs actual results:
I am looking to extract the value of the SAMLRequest and RelayState parameters from the responses I get when I login on my SP (application using SAML)
I login with username + password and then expect the responses I get in my Chrome Dev Tools to contain a SAMLRequest and RelayState
Then I wish to extract the value of SAMLRequest and use it in the next POST to obtain a SAMLResponse, which in turn I wish to extract in order to authenticate myself for the remainder of the scenario.
But I am misunderstanding something or I am overlooking a value somewhere, because I cannot seem to find where to capture SAMLRequest from to be able to reuse it in the first SAML post to get the SAMLResponse.
I only see SAMLRequest and RelayState in the POST of the recorded step, but in order to re-use this scenario I need to correlate these values but have no idea where to get them from as they do not seem to appear in the responses prior to this POST (at least not that I can see)
Where do I extract the value of SAMLRequest from and how?
Like Amol pointed out above, I have found the issue is with the response logging or lack thereof in the Chrome Browser.
I have switched to FireFox and was able to view the expected responses I was looking for.
Whereas in Chrome these Responses were empty according to the Dev Tools.
The issue was fixed by correlating the values as you would normally expect within JMeter, which was made possible now I knew where to look for them.
Thank you Amol!
I'm new to using Jmeter tool.
I have recorded my application using blazemeter (v3.1) and then trying to run that .jmx file in Jmeter, however I am running into an authorization issue and the script fails to run.
I have also tried setting my "HTTP Authorization Manager" with username, url, password but it does not help. If anyone can, please guide me on this Issue. Thanks.
As per 4 Things You Should Never Do with Your JMeter Script article:
Don’t run the script exactly as you recorded it
After recording your script, there is still some work to do before you run it. It’s necessary to correlate variables, parameterize and add elements, to faithfully simulate users.
There are too many ways of possible authentication implementation in your application, most probably you need to send some dynamic value along with credentials which can be fetched from the previous request.
Record your test scenario 2 times and compare recorded requests. Be careful as differences might be in response headers and URL, not only in response data. It makes sense to add View Results Tree listener directly to HTTP(S) Test Script Recorder - this way you will be able to see what data is captured by JMeter and amend its configuration so simulated request would look exactly like the request from the real browser.
I'm trying to work around the fact that twitter uses a call-limit by letting the client do a call to Twitter(By parameters given by my script, like last_id, username etc) and give me the newly found tweets by posting them via an AJAX request that I store in my database after.
However, if i figure out the parameters that are being sent from my getTweets javascript function to my save_tweets.php via a JSON array it's not that hard to post random stuff with an extension like the REST console in chrome.
Obviously i want the tweets to be legit and can not be manipulated(or posted) by anyone. I understand that javascript is clientside and therefore there is not much control over the content being grabbed and put away again but is there a way to be safe that the POST data you send comes from a user/webpage that is allowed to do so?
I've tried thinking of a PHP session token or something, but that doesn't fly since you have to cross-check that token which you therefore have to send along with the JSON array to my PHP.
Thanks in advance,
p.s If you know a different way to not being obstructed by a call limit to Twitter i'd be happy with that too. But 150 calls from a server isn't that much if you get a 1000+ users an hour to your page.