How to use JMeter to test encoding in HTTP Request? Burp Suite?

Question

I have to develop a security testing framework to make sure all output in our application is encoded.

I have many post & get http requests

Each request may have 1 or many parameters

What I wanted to do with JMeter:

I need to test each parameter individualy by changing the value to a string. So if I have 2 requests, 5 parameters each I will have to run 5 times. In addition I will have an assertion point to validate response data.

Some ideas I had was to record all the http requests.From the JMX file create a spreadsheet with request details, parameter & value. Go through the list and modify each value to my string value CANARY123!@#$%^&(. Then verify that the response data does not contain CANARY123!@#$%^&( and that in fact it came back encoded. Run test for each data row.

also thought these might be useful: counters, reg expression, user variables...

Should I use JMeter for this task? If so, how? Should I use something like Burp Suite?

Answer 1

you can typically use CSV Dataset that will contain parameters to be sent and test with assertions they are escaped.

Read:

• http://jmeter.apache.org/usermanual/test_plan.html

• http://jmeter.apache.org/usermanual/component_reference.html

Answer 2

I'd recommend using a security tool which specialises in this sort of thing - they will check for more than just encoding. Burp is very good, but the free version doesnt include automated scanning.

I'd recommend also looking at OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

I know a lot of people/companies using ZAP as an automated part of CI: theres some more info about this here: http://code.google.com/p/zaproxy/wiki/SecRegTests

Simon (ZAP Project Lead)