we are trying to add a simple test using JMeter in a JSF Application. We followed the instructions in:
http://jmeter.apache.org/usermanual/build-adv-web-test-plan.html
It has a simple login page with user name and password and a submit button. You can see from the screenshots that we used a proxy. With the settings in the screenshot we are getting HTTP 500 Error. I am not sure if I placed the question in a right way.. Please ask if you need any clarification.
The error code is:
EDIT:
I think this is going to be the longest question of SO. But images are better than words sometimes. Anyway, what we have done is to sent the data that is equivalent to what we see in the firebug. But still getting 500 error. You can see in the attachments Tomcat log.
HTTP 5xx codes are related to server or application errors. Search log files first.
Your script don't need a "User Defined Variables" component because there's no variable expression that really need to be evaluated per thread/user.
The "Regular Expression Extractor" component suffice to extract the JSF ViewState value.
I suggest you to delete the last part of your expression, " />", and change the regular expression grouping (.+?) to (\w+?) 'cause it will evaluate to a few matches (probably only 2). Change the value of "Match No." field to 1 (no need to use random if all values matched are identical).
I didn't understand why you used both "XPath Extractor" and "Regular Expression Extractor" components to extract the same value. I prefer to use the last one when leading with html. XPath is better when treating with well-formed xml strings/files.
To capture a script from scratch, I suggest you to add a "HTTP Proxy Server" inside Workbench, configure it, start it, configure a browser to use this proxy and navigate those pages using the browser. This way you'll capture all requests made and request headers used by the browser you choose. After this, remove unnecessary requests and change query parameters, like javax.faces.ViewState, to the corresponding variables.
Consider using extractors (Pos-Processors) inside an HTTP Sampler prior to the one that will use the variable in Parameter Values. Ex.: if /EBS request comes first and /EBS/login.xhtml request have a javax.faces.ViewState parameter then, probably, /EBS response will contain a hidden input with the javax.faces.ViewState value.
This is a common make up of JSF application test scripts I use. Providing more information about the cause of the HTTP 500 error should clarify the way to a better solution.
On the Regular Expression Extractor for jsfViewState, add (?s) to the start of the regular expression. So you have:
(?s)<input type="hidden" name="javax\.faces\.ViewState" id="javax\.faces\.ViewState" value="(.+?)" />
This allows the (.+?) to span line break characters.
Your regular expression extractor is in the wrong place. You cannot extract a value from the response to a request and then send it with the same request. The only way to achieve this is to use a time machine, but these don't exist yet and even if they did, it probably wouldn't work.
Typically you get a viewstate in the response to a GET and then you later need it in the POST of the same page. So, put the regular expression extractor as a child of the GET call where the login.xhtml page is first called (as a GET). If your recording does not include this GET call then either add it manually or examine the responses of previous calls before your login POST to find it, eg. maybe the GET homepage.xhtml (or similar) will include it.
Related
I have a problem where I am trying to cleanse the request content to strip out HTML and javascript if included in the input parameters.
This is basically to protect against XSS attacks and the ideal mechanism would be to validate input and encode the output but due to some restrictions I cannot work on the output end.
All I can do at this time is to try to cleanse the input through a filter. I am using ESAPI to canonicalize the input parameters and also using jsoup with the most restrictive Whitelist.none() option to strip all HTML.
This works as long as the malicious javascript is within some HTML tags but fails for a URL with javascript code without any HTML surrounding it, eg:
http://example.com/index.html?a=40&b=10&c='-prompt``-'
ends up showing an alert on the page. This is kind of what I am doing right now:
param = encoder.canonicalize(param, false, false);
param = Jsoup.clean(param, Whitelist.none());
So the question is:
Is there some way through which I can make sure that my input is stripped of all HTML and javascript code at the filter?
Should I throw in some regex validations but is there any regex that will take care of the cases that are getting past the check I have right now?
DISCLAIMER:
If output-escaping is not allowed in your internet-facing solution, you are in a NO-WIN SCENARIO. It's like antivirus on Windows: You'll be able to detect specific and known attacks, but you will be unable to detect or defend against unknown attacks. If your employer insists on this path, your due diligence is to make management aware of this fact and get their acceptance of the risks in writing. Every time I've confronted management with this, they've opted for the correct solution--output escaping.
================================================================
First off... watch out when using JSoup in any kind of a cleaning/filtering/input validation situation.
Upon receiving invalid HTML, like
<script>alert(1);
Jsoup will add in the missing </script> tag.
This means that if you're using Jsoup to "cleanse" HTML, it first transforms INVALID HTML into VALID HTML, before it begins processing.
So the question is: Is there some way through which I can make sure
that my input is stripped of all HTML and javascript code at the
filter? Should I throw in some regex validations but is there any
regex that will take care of the cases that are getting past the check
I have right now?
No. ESAPI and ESAPI's input validation is not appropriate for your use case because HTML is not a regular language and ESAPI's input for its validation are Regular Expressions. The fact is you cannot do what you ask:
Is there some way through which I can make sure that my input is
stripped of all HTML and javascript code at the filter?
And still have a functioning web application that requires user-defined HTML/JavaScript.
You can stack the deck in your favor a little bit: I would choose something like OWASP's HTML Sanitizer. and test your implementation against the XSS inputs listed here.
Many of those inputs are taken from OWASP's XSS Filter evasion cheat sheet, and will at least exercise your application against known attempts. But you will never be secure without output escaping.
===================UPDATE FROM COMMENTS==================
SO the use case is to try and block all html and javascript. My recommendation is to implement caja since it encapsulates HTML, CSS, and Javascript.
Javascript though is also difficult to manage from input validation, because like HTML, JavaScript is a non-regular language. Additionally, each browser has its own implementation that deviates in different ways from the ECMAScript spec. If you want to protect your input from being interpreted, this means you'd ideally have to have a parser for each browser family attempting to interpret user input in order to block it.
When all you've really got to do is make sure that the output is escaped. Sorry to beat a dead horse, but I have to stress that output escaping is 100x more important than rejecting user input. You want both, but if forced to choose one or the other, output escaping is less work overall.
I have my client's e-shop, which is created by another company. I want to parse all the products and put them in an xml. I know how to get to the first page of each "brand" but I have difficulties passing the argument to change the page for the paginated results.
This is the e-shop "http://www.gialia.net.gr/ProductCatalog/20/CAR.aspx" that points to one brand.
When I user tamper-data on firefox I see that when you want to press the second-page of the results is posts the :
"__EVENTTARGET=ctl00%24wpmMain%24wp131820866%24wp512420601%24dpgTop%24ctl01%24ctl01"
the last string: "ct101" means go to page 2, If I change it to ct102 it goes to page 3 etc.
BUT i'm trying to create it as a GET request so I can create these parameters dynamically in my Java code and parse each responce. But when I create the url as:
http://www.gialia.net.gr/ProductCatalog/20/CAR.aspx?__EVENTTARGET=ctl00$wpmMain$wp131820866$wp512420601$dpgTop$ctl01$ctl02
I get no results.
Can someone please take a look and give me some suggestions?
The site you give us here is very poor in design concerning the search engines (SEO), and so the parse of the page one by one is too difficult.
To change page is make post back, and with javascript only. So you must do the same to move to the next page of the catalog, you need to make a full post back of the page with all the parameters.
Now, the page is so bad designed that the programmer have disable the __EVENTVALIDATION of the controls probably because he not let him do wrong things, so when you can tamper the data, but still you need to make post back. By simple type on the url one only parametre the code behind did not understand that is post back. You need to send and at least the Viewstate and the rest hidden parameters.
But isn't more easy to just get from your client access direct to the database and reads them from there ?
I have some content displayed using computed fields inside a repeat in my xpage.
I now need to be able to send out a newsletter (by email) every week with the content of this repeat. The content can be both plain text and html
My site is also translated into different languages so I need the code to be able to specify the language and return the content in that language.
I am thinking about creating a scheduled lotusscript or java agent that somehow read the content of the repeat. is this possible? if so, some sample code to get me started would be great
edit: the content is only available to logged in users
thanks
Thomas
Use a java agent, and instead of going to the content natively, do a web page open and open the page as if in a browser, then process the result. (you could make a special version of the web page that hides all extraneous content as well if you wanted)
How is the data for the repeat evaluated? Can it be translated in to a lotusscript database.search?
If so then it would be best to forget about the actual xPage and concentrate on working out how to get the same data via LotusScript and then write your scheduled agent to loop through the document collection and generate the email that way.
Looking to the Xpage would generate a lot of extra work, you need to be authenticated as the user ( if the data in the repeat is different from one user to the next ) to get the exact same data that this particular user would see and then you have to parse the page to extract the data.
If you have a complicated enough newsletter that you want to do an Xpage and not build the html yourself in the agent, what you could do is build a single xpage that changes what's rendered based on a special query string, then in your agent get the html from a URLConnection and pass the html into the body of your email.
You could build the URL based on a view that shows documents with today's date.
I would solve this by giving the user a teaser on what to read and give them a link to the full content.
You should check out Weihang Chens (my colleague) article about rendering an xPage as Mime and sending it as a mail.
http://www.bleedyellow.com/blogs/weihang/entry/render_a_xpages_programmtically_and_send_it_as_a_mail?lang=en_us
We got this working in house and it is very convenient.
He describes 3 different approaches to the problem.
Is it posible to bind to a variable value from response and then pass it as parameter to other http request?
The earlier answer to this is hopelessly outdated.
Using the Post-Processor > Regular Expression Extractor, it is quite simple to extract any portion of the response.
The newer versions of JMeter also have Reg Exp tester options in the Listener > View Results in Tree, so you can perfect the regex till it does exactly what you want it to.
also see Passing variable from one http request to another in Jmeter
Earlier Answer:
It should be possible to extract an element from the response using the Regular Expression Extractor and store it in a variable which can be referred from further requests.
See Extract multiple strings on http://wiki.apache.org/jakarta-jmeter/RegularExpressions and this example http://jmeter-tips.blogspot.com/2010/06/tip-12-how-to-add-http-request-sampler.html
The official docs on this topic are this heading 19.5.1 __regexFunction
Using Java (.jsp or whatever) is there a way where I can send a request for this page:
http://www.mystore.com/store/shelf.jsp?category=mens#page=2
and have the Java code parse the URL and see the #page=2 and respond accordingly?
Basically, I'm looking for the Java code that allows me to access the characters following the hash tag.
The reason I'm doing this is that I want to load subsequent pages via AJAX (on my shelf) and then allow the user to copy and paste the URL and send it to a friend. Without the ability of Java being able to read the characters following the hash tag I'm uncertain as to how I would manipulate the URL with Javascript in a way that the server would be able to also read without causing the page to re-load.
I'm having trouble even figuring out how to access/see the entire URL (http://www.mystore.com/store/shelf.jsp?category=mens#page=2) from within my Java code...
You can't.
The fragment identifier is only used client side, so it isn't sent to the server.
You have to parse it out with JavaScript, and then run your Ajax routines.
If you are loading entire pages (and just leaving some navigation and branding behind) then it almost certainly isn't worth using Ajax for this in the first place. Regular links work better.
Why can't you use a URL like this:
http://www.mystore.com/store/shelf.jsp?category=mens&page=2
If you want the data to be stored in the url, it's gotta be in the query string.