I am running a script for login a site in jmeter where the credentials for the password is hashcode and in encrypted format. like this below as java library are used like validation of password, I am not able to write the java code for converting the decrypt the password
Actual what post data displayed:
&member_login_number=test#gmail.com&member_login_password=0d42afb79ebef4fbf34989341c42ca40dd3504d5da60c8eeffaf73d169e77c63601c72a4cda2c706e2b4e15a84dc8d50e024ab1b2e6198d94d0ae70c57de1808
CSV Data Config
username :testing#test.com
Password:password
Now when i using the csv data config to parameterized the password with the
actual password request is not getting success even after entering the
hashcode password to csvfile the post is not successful.
Is there any solution for this?
Screenshots below:
username_password_request
Related
I have default auth implemented in Laravel 7 and works like a charm.
However, I have a very peculiar requirement wherein, the password shouldn't even travel in plain text although SSL is implemented on network.
One way would be to handle it via javascript on login page wherein I encrypt the value of password and send the same to server and then decrypt the same in php before handing it to laravel attemptLogin method.
However, I am not so sure about this approach.
Any help would be awesome.
Solution:
On client side, used crypt.js/aes.min.js and encrypted the password using a key and iv.
In login controller, overrode credentials method and decrypted using openssl_decrypt before passing on to hash check.
This is already discussed on this answer:
It is standard practice to send "plaintext" passwords over HTTPS. The
passwords are ultimately not plaintext, since the client-server
communication is encrypted as per TLS.
And this one:
If you hash on the client side, the hashed password becomes the actual
password (with the hashing algorithm being nothing more than a means
to convert a user-held mnemonic to the actual password).
This means that you will be storing the full "plain-text" password
(the hash) in the database, and you will have lost all benefit of
hashing in the first place.
You may also read this answer for more security options.
I solved it as below:
On client side, used crypt.js/aes.min.js and encrypted the password using a key and iv.
In login controller, overrode credentials method and decrypted using openssl_decrypt before passing on to hash check.
I have an asp.net web API. I implemented a token authentication that I am trying to validate user name and password from the database. I am new to JWT so I need your advice.
Here are my questions;
Should I encrypt username and password in my database?
The client sends the username and password in the request body, Should the client send them in the header? And should they be encrypted?
Best Regards.
You should absolutely encrypt your password in the database. Even better if you hash it with "salt" (hashing will let you implement the log in logic, but the original password will be unrecoverable even if you know the hash).
Sending the password in the request body is fine if the connection is protected by TLS (HTTPS). There's no gain in putting it in the headers.
Usernames are often stored in plain text.
P.S. Your question has nothing specific to JWT, it is just general password management.
Actually i am using basic authentication in postman and provide client id and secret to get basic authentication key.Then i have provided username,password and grant type to get access token.since my password is encrypted and stored in my DB.I have to pass encrypted password to get access token.Is there any way to encrypt my passed password to compare for authorization and get access token.
I am using PHP 5.5.27 and Codeigniter3 to developed my code.
I used password_hash() to encrypt my password and store it in database. Also password varchar(255) is column size.
When I entered plain (unhashed) password then codeigniter validation run properly. But If I used hashed password (in text format) then form validation fails. Also If I used wrong password then also it works properly.
How can I solve this problem and make it work for hashed password also?
Does anyone know how to access the username and password from the Login Config Element in jMeter inside of a BeanShell?
I am trying to access the Login Config Element from and HTTPRequest also. I need to have the password saved with the dot overlay so that it is secure for my companies use. I want to access them from an HTTPRequest so that I don't have to put the username and password in cleartext. Then I want to access it in a BeanShell Post script so that I can change the password before the Simple Data Writer writes the HTTP request output to a file.
Thus far I have been unable to find any useful information on how to do this.
I have tried this script so far which does replace the password written in the Simple Data Listener file but I still have to put it in clear text and I would prefer to put a variable or use a function to access the variable.
import org.apache.jmeter.protocol.http.sampler.HTTPSampleResult;
import java.lang.String;
prev.setHTTPMethod(prev.getHTTPMethod().replace("password","*********"));
Have you checked out the Jmeter API to see if it lists how the username/password are being stored? (it may not)
If the API can't help you, you may be able to do a debug sampler and see if the username/password are being stored as variables/properties.
Beanshell samplers can access both variables and properties.