I try to Benchmark Node.js Ghost with JMeter. I want to create a testplan which just signs in and then creates and publishes a post.
My problem now is that i do not get any session-cookies. So every request on the backend fails. I already tried to change the CookieManager settings within the user.properties file.
i tried following configuration:
CookieManager.check.cookies=false
CookieManager.delete_null_cookies=false
CookieManager.save.cookies=true
jmeter.save.saveservice.url=true
jmeter.save.saveservice.requestHeaders=true
This is the results tree (on the left side you can see my testplan setup):
I don't think Ghost uses cookies at all, the errors you're seeing are likely due to failed login.
Looking into response to the first request:
It seems Ghost uses OAuth authentication.
So you need to do the following:
Extract this access_token value from the /ghost/api/v0.1/authentication/token request response. You can do it using JSON Path PostProcessor like
Configure HTTP Header Manager for next requests to send Authorization header with the value of Bearer ${access_token}
The whole process of getting dynamic content from previous request, converting it to JMeter Variable and adding as a parameter to next request is known as correlation.
Related
We are developing a chatbot to handle internal and external processes for a local authority. We are trying to display contact information for a particular service from our api endpoint. The HTTP request is successful and delivers, in part, exactly what we want but there's still some unnecessary noise we can't exclude.
We specifically just want the text out of the response ("Response").
Logically, it was thought all we need to do is drill down into ${dialog.api_response.content.Response} but that fails the HTTP request and ${x.content} returns successful but includes Tags, response and the fields within 1.
Is there something simple we've missed using composer to access what we're after or do we need to change the way our endpoint is responding 2? Unfortunately the MS documentation for FrwrkComp is lacking to say the very least.
n.b. The response is currently set up as a (syntactically) SSML response, this is just a test case using an existing resource.
Response in the Emulator
Snippet from FwrkComp
Turns out it was the first thing I tried just syntactically correct. For the case of the code given it was as simple as:
${dialog.api_response.content[0].Response}
I am having a SharePoint-based application, using which I need to perform load testing.
But When I m recording the script, the response is not as same as the browser, and thus unable to get what needs to be done
And in first 2 requests:
get page
post login
in these, there is no dynamic value, so I am not able to understand it.
First of all add HTTP Cookie Manager to your test plan
Second check all fields of the request from the browser (i.e. using browser developer tools) and JMeter and pay attention to URL and Headers
And last but not the least very often Sharepoint installations are protected using NTLM or Kerberos, if this is the case you will need to add properly configured HTTP Authorization Manager, see Windows Authentication with Apache JMeter article for more details.
I am trying to login to a website and based on the REST API guide provided, I will be able to receive some data for an application.
The two steps required for me to enact are:
1. Send a HTTP post command for authentication.
2. Send a GET command for receiving the data.
When I send the post command using python requests, i receive the required json response showing my login rights. e.g. role admin.
However, when I perform the get command after, it doesn't retrieve the data but sends an HTML form showing that I require authentication even though I have authenticated already.
Has anyone encountered this and how will I be able to solve it?
I am working on this for a customer and as a result, cannot post the actual login I am using and url and will hence replace this with my name with the code I will display.
Thanks
enter image description here
You can take a look at the session object in the requests library. It's used to keep a session across multiple requests.
https://3.python-requests.org/user/advanced/#session-objects
import requests
s = requests.Session()
s.get('http://httpbin.org/cookies/set?authcookie=123')
r = s.get('http://httpbin.org/cookies')
print(r.text)
This is a sample that uses a request session object to call a url that sets a cookie and then does another call with the same session (including the cookie). Just some basic example using http://httpbin.org/.
I'm currently using a framework in Node.js ( the botbuilder module from Microsoft Bot Framework) which uses the request[2] module to make HTTP requests.
I'm encountering a problem : this framework seems to send a malformed JSON to Microsoft's servers, but I fail to see why and what is this JSON message made of.
So I'm looking for a way to log those messages, to take a peek at this malformed JSON, as I don't have access to the request object (unless I heavily alter the framework code, which is not something one shall do)
So far, I'm able to log the response body (by adding request to the NODE_DEBUG environment variable), but not the original request body. I did try a tcpdump on our server but since it's all HTTPS there's nothing I can use there.
Any idea / tool that might help ?
Thanks for your time.
Use Node.js middleware to log all your requests. For example, you could use the module request-debug.
Another popular request logging middleware worth knowing about is Morgan, from the Express.js server team.
Is it possible to validate if an HTTP request originated from the client as GET, but was intercepted in between and converted to POST, or vice versa?
It is one of the security validations that is required as part of the project I am working on, but not getting enough clue about it. One of the way we thought of using as validation is to check if it is a GET request with a body than it could be POST. But that is just one case. Also if a POST is changed to GET by forging the request, I believe the data in the body can also be removed.
edit: Added more information about application and the intercepter
It is a regular Java web application developed using Struts with JSPs on the client side. The request from the web pages are being intercepted using Burp Suit Proxy to change the payload in the request.