How to prevent autheticated user from sending similar request via POSTMAN? - validation

I am developing a simple website using MEAN stack that gives a logged-in user a task to complete and sends a score to the backend corresponding to their performance on that task. User can skip to next task in which case no score is sent. Problem is: How can I differentiate between a user cheating and sending score via a POST request on POSTMAN (by changing POST values to increase score) and a POST request created by my frontend code. How to work around this problem?

Welcome to Stackoverflow, to check if the request is made by POSTMAN (so locally) or by your backend (called by your front end) you just have to check if the request IP is your server or not.
This is a WhiteList solution
MEAN Stack use NodeJS, so you can use :
request.connection.remoteAddress
EDIT :
You can put a special parameter in your header when send a request with your front OR your Postman, and you check it when you receive it

Related

How to perform a GET request after a POST request with web-sockets

I am currently trying to build a go API using gin for a web and mobile application. I am new to the world of WebSockets and Go so I was wondering how I would go about triggering a GET request from the client after a relevant POST request was made ie: the POST request contained the user's ID so the clients who require information regarding that user are properly updated. Currently, I have the POST and GET requests which do what I need them, but I'm a little lost about how to make the entire flow realtime using WebSockets.
I believe this example of server-sent-events should address the question. Once a POST handler has been called, send a flag to the GET endpoint via a channel and then send an event through there.

Azure AD authentication with Jmeter

I want to do performance testing of my site which uses the Azure AD authentication. In order to login to the site 3 requests are called.
in first request the clientid is passed
in the second request in the URL it is creating one parameter 'tx' and it has some value. Rest it creates the csrf token which I am extracting successfully.
But I am facing problem in extracting the value of 'tx'
I am checking the value in the previous requests response but I am not able to find it. Is there anything that I am missing? I checked it on Fidler too somehow I am not getting the value of the tx.
I would suggest that you perform the login action in Chrome (say) with Developer Tools > Network open - and on the second request (sending 'tx') get the value that is sent by the browser, then search for that value in the previous response - and find how that is represented as parameters in the downloaded data.
I had a similar requirement and ended up Writing PostProcessor (to extract a value and save in a variable) and PreProcessor (to inject the variable value into the posted parameter) - you may need to process HTML, javascript or embedded JSON in the initial response.
The fact is that (more-and-more) Web Applications are embedding functionality in client-side javascript and you need to set JMeter up to emulate this.

How to handle security token in Jmeter

I m doing performance testing of application which has login.I took the token from response body and pass in another request which is submitting the login page.
But interesting thing is that i see two different tokens in the first page one in response header another response body .So question is which one is to grab.
Which token to use depends on the application that you are using (and the way it is designed).
So, the best (and first) thing is, find out which security token is passed in the next page, by analyzing the http requests using HTTP trace tools (ex: Fiddler, Firebug etc) manually.

Volley string request - some won't be sended

I'm developing an app heavly based on HTTP GET request to retreive user' data and choice, so i've decided to use Volley.
I've created a common RequestQueue for all the whole application and when I need a request I add a stringRequest to that queue.
The problem of mine is that some requests will be sended but other will not, I think that I've reached a max number of request or something similar, beacuse the stringRequest's URL is correct and writing it in my browser URL's bar I get data I want.
How can I solve this situation?

Using cookie values in HTTP request post body with JMeter

I'm having a problem similar to the one in this post: JMeter; session cookie, but approached from a different angle.
The similarity is at the bottom of the post, where the OP writes:
How... can I set and submit a unique cookie for each user whose value is extracted from the first Response Header?
We're using JMeter for load testing, and need to have several users logged in to our email client at once. The way our website (and test plan) works is:
Enter username/ password, click Sign In.
Click Email.
Receive auth token (used for staying signed in to the email client) in a cookie.
Upon interaction with the email client (open a folder, mark an email as read, etc), send the auth token in the post body.
The problem is that the auth token is not getting stored as a value in such a way that it can be used in a POST request (and because the auth token is not sent as a cookie, we can't simply store it and send it with an HTTP Cookie Manager). The cookie is initially set like this:
AUTH_TOKEN=(long string of letters, numbers, and underscores); Domain=.ourdomain.net; Path=/
We've tried the following to extract the auth token value from the cookie:
Using a Regular Expression Extractor to extract the value from the response header of the "Click Email" step. We've tried two regular expressions; both simply cause JMeter to use the default auth token value when the test is run:
AUTH_TOKEN\=(\w+)\;
AUTH_TOKEN=([^;]+);
Defining the property "CookieManager.save.cookies=true" (as suggested by the user manual) and "CookieManager.check.cookies=false" (as suggested in this thread) in user.properties, then using "${COOKIE_AUTH_TOKEN}" in the post body.
With either or both of these in place, JMeter sets ${COOKIE_AUTH_TOKEN} as the auth token value in the post body.
We know that ${COOKIE_cookieName} is the correct format, as this has worked with other cookies that JMeter is storing.
I've read through a number of threads but none have dealt with this specific issue. I just started learning how to use JMeter a few weeks ago, so I'm not sure what to do here, and any help would be greatly appreciated. Thanks!
The problem was actually being caused by an incorrect request being sent to the server, to which it was then sending a blank response. Once we tore down and rewrote the entire test plan (what we were using was actually a modified version of another test plan) and had CookieManager.save.cookies=true in user.properties, we were able to use ${COOKIE_AUTH_TOKEN} and get the correct value.

Resources