We're trying to benchmark our application. We've tried tools, autocannon and jmeter.
I've noticed that when we use autocannon, we couldn't get any response from Cloudflare unless we turn off the orange cloud. But when we use jmeter we get responses regardless.
I would like to understand why this is happening.
I know that by default Cloudflare has unmetered ddos protection turned on. Is it possible that requests from jmeter are not considered as ddos attack? Or am I missing a setup in my autocannon configuration?
Well-behaved JMeter load test generates the same network footprint as the real browser does.
Looking into Autocannon it doesn't seem to be supporting at least:
handling embedded resources like browsers do
implementation HTTP Cache
working with AJAX
think times
etc.
Assuming all above Cloudflare might consider traffic generated by Autocannon fraudulent. So I would recommend:
Sticking to JMeter as it is more advanced tool even out of the box and it can be extended by JMeter Plugins (thanks to modular JMeter architecture)
Temporary disabling all 3rd-party services (Cloudflare, any captchas, external authentication systems, payment gateways, etc.) as your test needs to focus solely on your application, not the integrations.
Related
Trying to Performance test an application developed in OJET technology. Which tool/protocol should I use for scripting? I tried HTTP/Web protocol with Jmeter and Load Runner. But that doesn't capture all the requests and responses at the javascript/browser level. Hence I am facing issues in correlating the dynamic values during test design. Hence, scripts fail during the replay. Currently trying to do it with Truclient Web protocol as an alternative. But I need to know which tool/protocol should I use for scripting?
According to OJET looks like this is a web app generator.
If you choose to start with JMeter use post-processor such as regex to catch and save every value that is needed for as arg in the next request.
Don't be afraid of these dynamic values. Try to follow next articles to get the idea.
None of tools will provide you automatic correlation without issue. Nor LoadRunner, nor Jmeter. It is always tricky.
Ask more specific questions when you start facing issue.
Jmeter catch correlations
You need to implement real user using your application with 100% accuracy in terms of network footprint
Both JMeter and/or LoadRunner are not capable of executing client-side JavaScript, the options are in:
Implement these JavaScript-driven network calls using scripting (in JMeter it will be JSR223 Test Elements)
Use a real browser, LoadRunner's Truclient protocol is basically a headless web browser, in JMeter can be integrated with Selenium browser automation framework via WebDriver Sampler
With regards to "which protocol/tool" to use:
Implementing JavaScript calls manually will take extra effort, however your test will consume less resources (CPU, RAM, etc.)
Using real browsers will take less efforts, but the test will consume much more resources (something like 1 CPU core and 2 GB of RAM per user/ browser instance) and you won't have metrics like Connect Time, Latency, etc.
LoadRunner TruClient. This will handle all of the Javascript executions and dynamic elements related to session, state, date/time, object identifiers, ... You will still need to appropriately handle user input items.
Given that JMeter is not a browser and only simulates the actions of a browser, has anyone ever attempted to do cross-site script testing using JMeter?. I was reading online some articles about how to do security testing using JMeter but I didn't come across any work elaborating any attempts to do cross-site script testing.
I have done performance testing using JMeter, but I can't think of any way performing an XSS test using JMeter. So would love to hear, ideas and thought in this regard, thanks.
Jmeter is mainly meant for performance and load testing. Also a little bit of automation can also be done with jmeter(even though you can get better tools for automation out there). Again , regarding security testing, yes it can be done by providing xss scripts in parameters and request headers of requests and then bombarding to the server. Also you can do ddos attack with jmeter. But for these kind of penetration testinh you have better tools out there. I suggest you to do penetration testing witj owasp zap and to do it in a professional way. Install a kali linux and do ethical hack.
i want to conduct an http flood to a test website that i have designed in Visual Studio 2017. It is an ASP.NET Webforms site, so i want to ask if Apache JMeter is a proper tool for such a project. I have done some research and found from other users that Apache JMeter is having some problems with ASP.NET apps in some cases. So i'm a little confused. Also, i am considering to use two computers, one for running the website, and the other for running the JMeter script, in order to avoid the resource consumption that may lead to inaccurate metrics. Is it possible to succeed the http flood in such a way? Any other suggestions are welcome.
Thanks.
JMeter doesn't have any problems with ASP.NET websites (as well as any other websites), JMeter is backend-agnostic and it knows nothing about server-side technologies stack as it basically gets HTML and Headers from the server.
Just make sure to perform correlation of dynamic parameters like VIEWSTATE, EVENTVALIDATION, etc. and you should be good to go.
With regards to "flood" approach - I would rather recommend implementing real life user scenarios, to wit JMeter test should represent real usage of your web application by the real user using the real browser including business steps (login, browse, search, etc.) and technical side of things (Cookies, embedded resources, headers, cache)
Most of the tools out there do not seem to be interpreting jQuery / Javascript code that is loaded on the page that I want to test. This is however important because that code will, in turn initiate a number of calls to other endpoints in my webapp which adds up to load in a real life scenario.
I've looked at JMeter already and am a bit reluctant to give it a try as the landing page mentions explicitly that it does not do Javascript interpreting at all.
What would be some recommendation of tools that can provide a more accurate measurement of load testing by including Javascript code?
None of the load testing tools really executes JavaScript, they all act on protocol level and JavaScript is being executed by browser.
There are 3 options how you could proceed if you want 100% realistic testing:
HP LoadRunner has TrueClient protocol which is basically headless browser with JavaScript capabilities.
JMeter with WebDriver Sampler plugin - the way to kick off real browsers from JMeter test
Selenium Grid (or other way to kick off several Selenium instances at once)
All 3 above options are very resource intensive, you will required at least 1 CPU core and a couple of gigabytes or RAM for a single browser instance so I would recommend a little bit different approach. JMeter cannot execute JavaScript, but it can execute JavaScript-driven HTTP Requests so create main load using JMeter (or equivalent) and while the load test is running use Selenium to automatically check real browsing experience or YSLow to do the same manually.
Load testing tools doesn't execute JavaScript.
You know which endpoints your JavaScript code is using so just add these endpoints to your JMeter scenario.
The thick client problem has been around since the early 1990s with traditional thick client-server applications. In fact, the earliest commercial tools were all driving full clients on X Windows before adding API level virtual user capabilities. On the commercial front this ability to drive full, thick clients is still expressed as GUI virtual users (Mercury/HP/Microfocus LoadRunner, Segue/Borland/Microfocus Silk Performer, Rational/IBM Performance Tester) allowing you to measure the weight between API and user level if needed.
Here is the thing, for a given business process and data set the end client is predictable in its behavior, and in the requests that it makes to the servers that are feeding it data. There may be a few odd conditions where you need to reproduce an algorithm from JavaScript to C (or even run it directly in some tools) for branching on a type of API/HTTP request, but these are not numerous.
I'm told that we need to do some performance testing on one of our web-applications, so I'm trying to get some JMeter stuff to work, which as far as I know would simulate the HTTP GETS and POSTS. However, one of my colleagues is telling me that if I use it, it'd only accomplish FE testing. But, if I do this, it still is able to create items in the database and interact with the logic, so I figured it should be sufficient for performance testing of the back-end. Her reasoning is that "if it goes through http pages, we can’t tell which affects the performance".
So am I totally wrong? I'm confused.
The whole idea of the load testing thing is to simulate real-life users actions and behavior as close to reality as possible.
In JMeter terms that assumes presence and appropriate configuration of the following test elements:
HTTP Cookie Manager - to represent browser cookies and deal with cookie-based authentication
HTTP Header Manager - to represent browser headers like User-Agent, Accept-Encoding, Accept-Language, Content-Type, etc.
HTTP Cache Manager - browsers download embedded resources like scripts, styles, images, etc. but do it only once, on subsequent requests aforementioned entities are being returned from cache. To simulate this behavior you need to have HTTP Cache Manager
HTTP Request Samplers need to be configured to fetch embedded resources from the web pages and use a separate thread pool for this. See How to make JMeter behave more like a real browser guide for more details on how to configure realistic behavior.
So given JMeter test is good designed and implemented it is quite enough to test backend as well. If during load test you figure out that bottleneck is i.e. database, you may need to load-test the database separately, JMeter is capable of doing this as well, however I'm a strong believer that load testing should be done against environment as close to production as possible and should target the whole system rather than individual components.