JMeter encrypted credentials - testing

When I recorded the login process, the password is encrypted in the request, so when I tried to change the credentials by setting the password to plain text, I get 500 response code.

Try to identify the encoding mechanism and encrypt the password on the fly using Beanshell PreProcessor the following example encodes value stored under ${plainpassword} variable using Base64 encoding and stores encrypted value as ${encodedpassword} variable
import org.apache.commons.net.util.Base64;
String plainPassword = vars.get("plainpassword");
String encodedPassword = new String(Base64.encodeBase64(plainPassword.getBytes()));
vars.put("encodedpassword", encodedPassword);
See How to Use BeanShell: JMeter's Favorite Built-in Component guide for more information on Beanshell scripting in JMeter and a form of Beanshell cookbook.

Related

Base64 Authentication Username and password

I have been able to write a python script to get Base 64 auth for my username and password (Admin:password) equal to --> Basic QWRtaW46cGFzc3dvcmQ=
When I add that to my header manager as:
Authorization Basic QWRtaW46cGFzc3dvcmQ=
all my HTTP Requests succeed.
in Jmeter I have googled and I find to add below in Bean PreProcessor:
import org.apache.commons.codec.binary.Base64;
String username = vars.get("Username");
String password = vars.get("Password");
String combineduserpass = username + ":" + password;
byte[] encodedUsernamePassword =
Base64.encodeBase64(combineduserpass.getBytes());
vars.put("base64HeaderValue",new String(encodedUsernamePassword));
System.out.println(encodedUsernamePassword);
but that system output gives me --> [B#558e816b which is incorrect
when I add that to my Header manager like this
Authorization Basic ${base64HeaderValue}
my HTTP Req obviously fails. The Base64 for "Admin:password should really be Basic QWRtaW46cGFzc3dvcmQ= and not [B#558e816b
You are trying to print byte array. You can print the new variable as:
System.out.println(vars.get("base64HeaderValue"));
Also your Header Manager should be under your HTTP Request so it be execute aftet script and before your request
Instead of scrpting you can use JMeter plugin of custom functions and use inside Header manager the __base64Encode function similar to:
${__base64Encode(test string, base64HeaderValue)}
To do Basic Auth, just add HTTP Authorization Manager to your plan as per this answer:
JMeter Basic Authentication
It would be configured like this if your server URL is http://localhost:8080/test:
There is no need for scripting here.
I would recommend switching to JSR223 PreProcessor and Groovy language as:
Groovy supports all modern Java language features including (but not limited to)
encoding byte arrays into Base64
decoding Base64 strings
Groovy performance is way better comparing to Beanshell
Groovy equivalent of your code would be:
vars.put('base64HeaderValue',(vars.get('Username') + ':' + vars.get('Password')).bytes.encodeBase64().toString())

Encoding response value to base64 and using it on another test

I'm trying to do some testing using JMeter but I'm facing an issue trying to do some complex stuff.
I have a login HTTP request test that comes back with a response which includes an auth_token. I need to add ":" at the end and encode it to base64 to use that value on the request of another test.
I've been reading that it can be done using BeanShell but I could not achieve it yet. I will appreciate if someone could give me some steps to perform this task.
I assume you know how to get this auth_token into a JMeter Variable via i.e. Regular Expression Extractor
If you're have JMeter Plugins installed - you can use __base64Encode() function like:
${__base64Encode(${auth_token},auth_token_encoded)}
If you don't have the plugins/cannot have/don't want to have - here is how to do it with Beanshell.
Add Beanshell PostProcessor somewhere after Regular Expression Extractor (or other PostProcessor you're using to fetch the auth_token value
Put the following code into the Beanshell PostProcessor "Script" area:
import org.apache.jmeter.protocol.http.util.Base64Encoder;
String auth_token = vars.get("auth_token");
String auth_token_encoded = Base64Encoder.encode(auth_token);
vars.put("auth_token_encoded", auth_token_encoded);
See How to Use BeanShell: JMeter's Favorite Built-in Component to get started with Beanshell scripting.
Both cases assume:
you have "auth_token" value stored in ${auth_token} JMeter Variable
you will be able to access the encoded value as ${auth_token_encoded}
I had a similar test case where I need to put a file as Base64 encoded String into the body of a HTTP Request.
Instead of a BeanShell I used the groovy script functionality¹:
{
"example": "${__groovy(new File('${SCRIPT_PATH}/test.file').bytes.encodeBase64())}"
}
If you already have a String this snippet would work similar:
{
"example": "${__groovy('string to encode'.bytes.encodeBase64())}"
}
Or this is the usage with a user defined variable:
{
"example": "${__groovy('${STRING_VARIABLE}'.bytes.encodeBase64())}"
}
¹ ${SCRIPT_PATH} is a user defined variable pointing – in my case – to the folder of the loaded jmx-file: ${__BeanShell(org.apache.jmeter.services.FileServer.getFileServer().getBaseDir();)}${__BeanShell(File.separator,)}

How to store variable in property in jmeter using beanshell post processor and refrence that variable in next request.

I am hitting an http url and need url contents into property in jmeter.
I have done the fetching part from url,but unable to store the value in properties using the jmeter.
For e.g.
Request is like
http://url/user=admin,password=admin
I need property in jmeters
property1(user)=admin
property(password)=admin
Given you have already extracted what you need it might be easier to use __setProperty() function like:
${__setProperty(foo,bar,)}
creates "foo" property with the value of "bar"
If you still want to go the "Beanshell" way, you can use props shorthand which provides read-write access to JMeter Properties (in fact it's instance of java.util.Properties) for properties manipulation.
The Beanshell script:
props.put("foo", "bar");
will create a property "foo" having value of "bar".
Returning to your use case, if your URL looks like http://example.com/?user=admin&password=admin use the following Beanshell code:
Map parameters = ctx.getCurrentSampler().getArguments().getArgumentsAsMap();
String user = parameters.get("user");
String password = parameters.get("password");
props.put("user", user);
props.put("password", password);
should do what you need. See How to Use BeanShell: JMeter's Favorite Built-in Component guide for more information on Beanshell scripting in JMeter.

Webapplication log in system

I am using revel to build my webapplication and trying to write authentication module.
I finished with sign up part and now heading to write sign in part.
I read about security part on The definitive guide to form-based website authentication and will use this recommendation.
What I am really do not know is, how sign in works. I am imaging that the process works like this:
User write username and password into the html form and press sign in
Server receive request and the controller will check, if user information match with data on database.
If yes, how continue.
The third point is where I am staying. But I have some idea how could works and not sure, if is the right way.
So when sign in information match with the database, I would set in session object(hash datatype) key value pair signed_in: true. Everytime when the user make a request to the webapplication, that need to be authenticated, I would look in the session object, if signed_in is true or not.
This is the way I would do, but as I mentioned above, I do not know if it is the right way.
Yes like #twotwotwo mentioned, give it the user id and also a role.
So server side rendered flow: Step 1
user sends username (or other identifier) and secret.
using scrypt or bcrypt the secret is checked against the stored salted hash in the database
if it matches you create a struct or a map
serialize struct or map into string (json, msgpack, gob)
encrypt the string with AES https://github.com/gomango/utility/blob/master/crypto.go (for instance). Set a global AES key.
create a unique cookie (or session) identifier (key)
store identifier and raw struct or map in database
send encrypted cookie out (id = encrypted_struct_or_map aka the encrypted string)
On a protected resource (or page): Step 2
read identifier from cookie
check if id exists in db
decode cookie value using AES key
compare values from cookie with stored values
if user.role == "allowed_to_access_this_resource" render page
otherwise http.ResponseWriter.WriteHeader(403) or redirect to login page
Now if you wanted you could also have an application-wide rsa key and before encrypting the cookie value sign the string with the rsa private key (in Step 1). In Step 2 decode with AES key, check if signature valid, then compare content to db stored content.
On any changes you have to update the cookie values (struct/map) and the info in the database.

I want to passing value to icewarp with base64 encoded. Do Icewarp need decoded script?

Currently my job is to hide the username and password from being displayed when we passing the value to icewarp webmail. The previous developer passing the value like below :
Header("refresh:0;url=http://sample-icewarp.com/webmail/index.html?!#$username:$password");
and it redirect user to icewarp webmail, but with username and password displayed on address bar for split seconds. But on slow connection, it give enough time to read and memorize it.
I am planning to work with base64 encoding. But i am confuse, do i need to make icewarp decode as well?
I am not programming expert, working as IT technical support. This has become my part of job.
From googling, i found this sample code of base64 encoding :
$data = /* some data */;
$base64Data = base64_encode($data);
$urlData = urlencode($base64Data);
$htmlData = htmlspecialchars($urlData);
printf('<input type="hidden" value="%s" name="pass-it-on">', $htmlData);
How do i edit this thing to make it redirect to icewarp webmail?
Why dont you use external login (see icewarp/html/webmail/client/_external)? It would use AFAIK the RSA login icewarp has. Or SSO...