How can I parse Outsystems OSVSTATE token to subsequent requests in Jmeter? - javascript

I have created a jmeter script for Outsystems applications ( by recording and as well as creating raw request) however when I try to pass _OSVSTATE value from login page to subsequent requests I am getting an base64 encoding errors. I tried sending the request with encoding and without encoding but the result is same. Could anyone please help me/ advise me of how to overcome this issue. Any help is highly appreciated.

Looking into View state in OutSystems Applications article I don't think you need to encode/decode the __OSVSTATE parameter, you just need to extract it from the previous response, save into a JMeter Variable and add the variable as the parameter for the next request.
You can extract the value using i.e. CSS Selector Extractor configured like:
Name of created variable: anything meaningful, i.e. OSVSTATE
CSS Selector Expression: input[__id=__OSVSTATE]
Attribute: value
That's it, now you have the parameter value in the ${OSVSTATE} JMeter Variable, feel free to use it where required.

Related

Encoded HTML Tags in Query String still causing 500 Error

Hoping this is a quick fix.
I'm sending a query string from an AngularJS application to a web API coded in C#. The string contains a "message" value which may or may not contain url-encoded HTML tags.
Here's a basic example:
msg = "<a>"
querystring = "/SERVERPATH/?id=1&msg=%3Ca%3E"
Sending the string above to my API results in a 500 Error and the "msg" value never actually reaches the server. On the other hand, adding a space before and after the "a" causes everything to work great.
msg = "< a >"
querystring = "/SERVERPATH/?id=1&msg=%3C%20a%20%3E"
Is there a special type of validation occurring that I don't know about, and is there a way to configure these rules myself?
This is probably web.config related, but I could be totally wrong about that. Any input would be greatly appreciated.
The error code 500 is for internal server error. It means your code do reach your web service. By your example (where on putting a space before and after 'a' makes everything work) I am pretty sure that request validation is failing at your web service. To understand request validation please visit this link.
A word of caution: Try not to disable request validation on your web service. Doing that poses a huge security threat.
You may consider a work around, where instead of using URLEncode you can use HTMLEncode for encoding the query string values (values only).

Encoding URL GET variable

I want to ask you how can I safely encode multiple GET variables from my URL and put them in one, then it send it to another page.
Thank you for your time!
If your intention is to increase security of the data being sent through URL then you should go for POST method instead of GET. Otherwise if you are bound to use GET then use some encryption(A way of encoding) standards e.g. MD5 on the data before you put them in the URL using GET method.
There are functionalities available on server side that can be used for the encryption.

How to pass array as a parameter to a plsql procedure through javascript

I am calling a plsql procedure from window.opener.location.href, I want to pass an array as a parameter to this procedure.
window.opener.location.href="dt_bulk_test_pkg.pc_bulk_test?ps="+frmresult.ps.value+
"&p_step="+frmresult.p_step.value+
"&p_year="+frmresult.p_year.value+
"&p_quarter="+frmresult.p_quarter.value+
"&p_diagnostic_type="+frmresult.p_diagnostic_type.value+
"&p_overwrite="+frmresult.p_overwrite.value+
"&p_company_id="+v_comp_id;
v_comp_id is an array.
PL/SQL is a database technology, Javascript is an in-browser technology (unless you're doing server side JS with node or Rhino but you are not). The browser can only communicate with web servers. So from the point of javascript, you're not calling a stored procedure, you're calling a web-server that you must have running somewhere that calls that stored procedure.
How exactly arrays are represented is up to the server-side language/web-framework, but a fairly standard approach is that taken by jQuery's $.param method. For example, opening up the console on this site I can do this:
> $.param({example: [1,2,3]})
"example%5B%5D=1&example%5B%5D=2&example%5B%5D=3"
Words of warning.
Exposing database stored procedures directly via HTTP is not only bad design, but likely a crazy-bad security risk.
Embedding parameters in a url means you are using an HTTP GET request. GET requests are meant for resources that do not affect the state of the server so be careful that your stored procedure only gets data, not changes it. The danger is that someone could put that url in an email or even an img src tag on a webpage and people would hit that url simply by clicking a link or visiting a web page.
All parameters should pass through url encoding. Like I mentioned, jQuery.param will do this.
You are likely exposing yourself to XSS attacks as well.
I know that this is an old thread but I landed here so I guess others will.
It is quite possible to pass arrays to PL/SQL via a URL and it is explicitly supported, not a dodgy hack. Link to Oracle doc
You declare the PL/SQL input parameter as a table of varchar2. Then you pass the same parameter name repeatedly in the URL.
1/ Example PL/SQL source:
CREATE OR REPLACE PROCEDURE test_array(
p IN dbms_sql.varchar2_table )
AS
BEGIN
FOR i IN p.FIRST .. p.LAST
LOOP
htp.p(p(i)||'<br>');
END LOOP;
END test_array;
*2/ Example URL to invoke it: - substitute XXXXXXXXXXXXXX with your own setup *
http://XXXXXXXXXXXXXX/test_array?p=first ele&p=second ele
3/ Output
first ele
second ele
You can pass in as many elements as you want, I just used 2 for this example.
If your data type is not varchar2, capture them as varchar2 from the URL anyway and convert them to numbers etc inside the pl/sql.

Finding Dynamically generated parameter values to be sent with http post method to login

I want to login to hotmail email account with httpclient. For that I need to pass 21 parameters to http post method including username and password. I found this out through temper data addon in firefox. I also found out that few of them are generated dynamically.(i.e. their values change each time we reload the page). My problem is to how do I find these dynamically generated values of the parameters which have to be passed in http post. I tried to find them with firebug addon but it did not help ! I think values are generated by javascript. If it is, then how do I parse them ? I have used Html parser before but it seems that it does not support javascript parsing. I would appreciate any idea regarding this.
Thank you.
This might be some form of CSRF anti forgery token, in which case I don't think you going to come right. They might be stored in some cookie, or in a hidden element in the page.
More info: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

request parameters ordering undefined [in multipart/form-data or in general] - what to do?

I am writing a web application that submits a form (one of its fields is mulitpart/form-data, so obviously POST must be used and not GET, since the files might be really big). One of the fields is kinda transaction/upload_id and the other is obviously the file contents. While uploading, a progress bar must be displayed.
The known fact says that the order of parameters is undefined in general, meaning that any of (file content / upload_id) might come first.
Is there any acceptable / recommended way to cause the browser to send the upload_id before sending the file content?
Is it a considered a correct implementation - to expect the upload_id to come first OR there is a better / most common / more correct way to handle the problem? In that case - it would be fantastic to hear some details.
Update: my server-side language is Java/Servlets 3.0
Well, the better answer (without utilizing filters) would be to publish the upload_id(s) as a part of the URL (after '?'), even when issuing a POST request. In that case, they will be always processed ahead of files' contents.
Using servlets as well, and in my case I wanted to run my CSRF filter in my servlet before I started streaming the file: if the filter failed, I can kill the request before I've uploaded my 20gb video file, as opposed to the default PHP implementation where the server only hits your script AFTER its parsed the entire request.
Its been a bit of a hack on my part, but in the couple of cases I've had to do this I've cheated and put the non-file request parameters into the URL and in every case (using pretty much every browser I've tested with) an Iterator over the request parameters on the server (I'm using commons fileupload in streaming mode) has received the non-file request parameters first before the file data was received. Somewhat fragile, but not unworkable.
I'm assuming that if you order your request parameters with the file <input> as the last item you'll get the same behavior.
You shouldn't have to worry about the order in which the parameters are sent. If so, then your server-side code is very brittle.
A multi-part request will contain the field name of every form field that is passed in. Use the name to reference that field regardless of the order it was sent in.
If you are parsing the post body by hand, I suggest you look at existing projects like Apache FileUpload which abstract that away.

Categories

Resources