My tester has integrated Burp tool with firefox, where he is running our project on same browser. He is saving each and every request of application in Burp tool and then login with another user to post request data of first user, or he logout of system and only post request data where he is able to save that data properly. Can anybody please answer that how I can stop laravel to save data on Burp or any other tool like this
This is an integral part of testing. You should not be trying to find ways to deceive testing tools. You should be implementing good security in your application.
Related
I am doing performance testing. I have a URL abc.com it redirects to http://github.com for login. Because abc.com is registered in Github. What will be the approach to login into the application with Jmeter
It's called OAuth and you need to implement the required authorization flow, most probably Authorization Code Grant, however it depends on how your "abc.com" is exactly integrated with Github.
All the information on possible options and flows is listed on Github website so you either need to ask around what exact flow is being used or inspect the traffic from your browser using your browser developer tools or external sniffer tool like Fiddler or https://www.wireshark.org/
Actually it's only matter of passing correct parameters to Github https://github.com/login/oauth/authorize and https://github.com/login/oauth/access_token endpoints and correlating the dynamic values using suitable JMeter Post-Processors.
I am trying to run the tests using Zalenium but the browser is asking for the credentials, so I am providing the username and password manually.
Does anyone know how to handle browser authentication?
My project uses Specflow, C# and Selenium
There are several options
You can login with http://username:password#website.com/page
Automate login process at #BeforeMethod or #BeforeClass
Set cookies. Although I don't advise this method since it doesn't speed up automation much and there is quite a bit of work to do to implement it.
You could put your web application behind a proxy that automatically injects the basic auth credentials. I did this once for a client a few years back.
I'm pretty sure I used: https://github.com/adamfisk/LittleProxy with https://github.com/ganskef/LittleProxy-mitm
But I had to write some code intercept requests and inject basic auth headers. Although from memory it was pretty straight forward.
If you don't need https then you could probably use cntlm and then set the basic auth header by hand using this:
-r "HeaderName: value"
Add a header substitution. All such headers will be added/replaced
in the client's requests.
I am trying to perform load testing using JMeter on my project's web service (search web service for instance), the problem I am facing is that I am getting {"Message":"Authorization has been denied for this request."} in "Response data" tab in JMeter
This same message I also get when I try to paste the same query string (which I am using in JMeter as Path) in browser new tab without logging in first,, but if I login on my project first and then try to paste the query string in browser's new tab then it works fine.
Now the actual problem that I am facing in JMeter is that I am unable to log in to the system using "HTTP Header Manager"
I tried by adding Basic authentication in "HTTP Header Manager" but it didn't worked, then my developer told me that he is using "ASP Membership" authentication instead of Basic authentication,, now I am not sure how to use this type of authentication in JMeter.
I think I have explained my problem in detail here, can any one please help me in this as I am really stuck into it.
Thanks in advance
You need to add a cookie-manager to your Thread Group. This will preserve the cookies ( hence sessions) between requests. Next add a http request which will do a POST of your login form then another HTTP Request with your actual request. This way you are imitating the steps you do on your browser - that is - login followed by request.
Looking into ASP.NET Forms Authentication Overview article:
Forms authentication lets you authenticate users by using your own code and then maintain an authentication token in a cookie or in the page URL.
So depending on implenentation of ASP.NET Forms on server side you can use one of the following test elements:
HTTP Cookie Manager
HTTP URL Re-writing Modifier
Also you may need to perform the correlation of the mandatory dynamic parameters such as VIEWSTATE or EVENTVALIDATION. See ASP.NET Login Testing with JMeter guide for detailed explanation and walkthrough.
I have an application hosted in Azure using Azure Active Directory and OpenIDConnect for authentication - generally all works well. However I'm having an issue where some requests generate a call to https://login.microsoftonline.com/ and then on to the requested page - no password is requested. I'm assuming that this is some kind of token refresh?
The problem is that the site uses a fair amount of ajax and these requests stop working because they get redirected to https://login.microsoftonline.com/ This happens after maybe 15 minutes, however the nbf and exp properties of the JWT token show a validity period of approximately an hour.
I've set the BackchannelTimeout property of OpenIdConnectAuthenticationOptions to 30 minutes, however this doesn't seem to have made any difference.
Can anyone offer any advice on what may be happening and the options to change or work around the behaviour?
Your question can be answered in the same way as this other thread: MVC AD Azure Refresh Token via ADAL JavaScript Ajax and KnockoutJs
In short: the OpenId Connect middleware is designed to support redirect based web applications. Ajax calls are not well suited to be protected via cookies, and the issue you are experiencing is one of the reasons why. Javascript based API calls are better protected using tokens rather than cookies.
For some links that might provide an alternative approach, see the link above.
I created a nuget package for .NET web applications which is refreshing the Azure Active Directory Token in the background.
More info: https://www.nuget.org/packages/RefreshTokenForAjaxRequest.Azure.ActiveDirectory/
I just thought about writing a GWT app that just works as a client for a RESTful web service. The web service requires HTTP basic authentication for each call.
Since the client is not 'connected' with the server over a session, I have to remember the authentication credentials on the client side. I could do this within the GWT application, but with this, the client has to log in after every reload, which is not very beautiful. I also don't think it's a good idea to write this information to cookies, since everyone could read them.
So, who knows what I am looking for? :-)
Browsers save the username/password information for a given server/port/domain. So if the client has to login once (at least via the browser standard BASIC http dialog) it's preserved over the reloads.
I don't know if you can do that. Maybe forcing the user to navigate to a page inside the domain (or realm) and then using GWT...