Authenticate using Webinject and do Web transaction
166 views
Skip to first unread message
Ankam Ravi Kumar
Feb 5, 2019, 11:48:08 AM2/5/19
to WebInject
Hi All,
We have an Oracle web forum, we would like to do below monitoring steps
1. URL Web page loading - Working fine
2. Authenticate and grab keyword - Not working getting authentication failed
I am unable to grab the Dynamic URL change due to which authentication not working, can anyone help me out.
Below are the details
============== Browser Developer Mode POST Parameters =======================
| p_flow_id | 4550 |
| p_flow_step_id | 1 |
| p_instance | 13782816412778 |
| p_page_submission_id | 17143288103490 |
| p_request | F4550_P1_PASSWORD |
| p_arg_names | […] |
| 0 | 232291604030150875 |
| 1 | 30250621039456935 |
| 2 | 30251012844458645 |
| 3 | 30251520608467092 |
| 4 | 1778434620188603210 |
| 5 | 1778434823687603211 |
| 6 | 1778435028760603211 |
| 7 | 1778435208234603211 |
| p_t01 | Reset+Password |
| p_arg_checksums | 232291604030150875_D0075E6A7EB4E889FEBACABA11D7BC74 |
| p_t02 | testing |
| p_t03 | username |
| p_t04 | password |
| p_t05 | |
| p_t06 | |
| p_t07 | |
| p_t08 | |
| p_md5_checksum | |
| p_page_checksum | 17F159DA193D85DBDA4E5AFEEF605A81 |
=====================================================================
-------------------------------------- Test_data.xml File ---------------------------------------------------
<testcases repeat="1">
<case
id="1"
url="http://arkit.co.in:7030/ords/"
posttype="application/x-www-form-urlencoded"
verifyresponsecode="302"
errormessage="Can not display the login page."
logrequest="no"
logresponse="no"
/>
<case
id="2"
method="post"
url="http://arkit.co.in:7030/ords/f?p=4550:1"
posttype="application/x-www-form-urlencoded"
postbody="p_t02=testing&p_t03=username&p_t04=password"
verifyresponsecode="200"
verifynegative="Authentication Denied"
verifypositive="Application Builder"
errormessage="Login failed."
logrequest="no"
logresponse="no"
/>
</testcases>
--------------------------------------------------------------------------------------------------------------------------------
<case
id="1"
url="http://arkit.co.in:7030/ords/"
posttype="application/x-www-form-urlencoded"
verifyresponsecode="302"
errormessage="Can not display the login page."
logrequest="no"
logresponse="no"
/>
<case
id="2"
method="post"
url="http://arkit.co.in:7030/ords/f?p=4550:1"
posttype="application/x-www-form-urlencoded"
postbody="p_t02=testing&p_t03=username&p_t04=password"
verifyresponsecode="200"
verifynegative="Authentication Denied"
verifypositive="Application Builder"
errormessage="Login failed."
logrequest="no"
logresponse="no"
/>
</testcases>
--------------------------------------------------------------------------------------------------------------------------------
+++++++++++++++++++++++++++++ Webinject.pl test output +++++++++++++++++++++++++++
WebInject CRITICAL - Login failed.
Test: Web_Transaction_testdata.xml - 1
GET Request: http://arkit.co.in:7030/ords/
Verify Response Code: "302"
Passed HTTP Response Code Verification
TEST CASE PASSED
Response Time = 0.131 sec
-------------------------------------------------------
Test: Web_Transaction_testdata.xml - 2
POST Request: http://arkit.co.in:7030/ords/f?p=4550:1
Verify Response Code: "200"
Passed HTTP Response Code Verification
Verify: 'Application Builder'
Failed Positive Verification
Verify Negative: 'Authentication Denied'
Passed Negative Verification
TEST CASE FAILED : Login failed.
Response Time = 0.063 sec
-------------------------------------------------------
Test Cases Run: 2
Test Cases Passed: 1
Test Cases Failed: 1
Verifications Passed: 3
Verifications Failed: 1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
WebInject CRITICAL - Login failed.
Test: Web_Transaction_testdata.xml - 1
GET Request: http://arkit.co.in:7030/ords/
Verify Response Code: "302"
Passed HTTP Response Code Verification
TEST CASE PASSED
Response Time = 0.131 sec
-------------------------------------------------------
Test: Web_Transaction_testdata.xml - 2
POST Request: http://arkit.co.in:7030/ords/f?p=4550:1
Verify Response Code: "200"
Passed HTTP Response Code Verification
Verify: 'Application Builder'
Failed Positive Verification
Verify Negative: 'Authentication Denied'
Passed Negative Verification
TEST CASE FAILED : Login failed.
Response Time = 0.063 sec
-------------------------------------------------------
Test Cases Run: 2
Test Cases Passed: 1
Test Cases Failed: 1
Verifications Passed: 3
Verifications Failed: 1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks,
Ravi.
Tim Buckland
Feb 5, 2019, 3:46:37 PM2/5/19
to WebInject
I would remove the logrequest / logresponse parameters from your test and run it, then look in the http.txt and examine the full request and response headers of each step plus the response html to get more clues on what might be going wrong.
You might also want to look at my fork of WebInject which is a project I've called WebImblaze: https://github.com/Qarj/WebImblaze
It has many updates and new features, but a different test file format.
There are also many examples in the project and also in the manual.
In addition there are blog posts showing how to post forms or to an API
e.g. https://webimblaze.blogspot.com/2017/04/api-testing-with-webinject.html and https://webimblaze.blogspot.com/2017/04/posting-web-form-with-webinject.html
And perhaps you are using Nagios - there is a post on that also:
Best of luck!
Gmail
Feb 5, 2019, 4:10:59 PM2/5/19
to webi...@googlegroups.com
You also can check if case 2 needs a Referer
Regards,
Dirk
--
You received this message because you are subscribed to the Google Groups "WebInject" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webinject+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Message has been deleted
tim.buckland
Feb 6, 2019, 1:25:56 PM2/6/19
to webi...@googlegroups.com
Sure I'll help you some more tonight
Sent from my Samsung Galaxy smartphone.
-------- Original message --------
From: Ankam Ravi Kumar <aravik...@gmail.com>
Date: 06/02/2019 09:19 (GMT+00:00)
To: WebInject <webi...@googlegroups.com>
Subject: [webinject] Re: Authenticate using Webinject and do Web transaction
WebImBlaze results
Test Case
==========================================
step: Get Loaded Home Page
url: http://oracle.web.forum:7030/ords/
parseresponse: p_instance
parseresponse1: p_instance
parseresponse2: p_page_submission_id
parseresponse3: p_arg_names
parseresponse4: p_arg_checksums
parseresponse5: p_page_checksum
verifyresponsecode: 302
verifypositive: Express Login
step: Login Check
url: http://oracle.web.forum:7030/ords/wwv_flow.accept
postbody: p_flow_id=4550&p_flow_step_id=1&p_instance=[{PARSEDRESULT}]&p_page_submission_id={PARSEDRESULT2}&p_request=LOGIN_BUTTON&p_arg_names={PARSEDRESULT3}&p_t01=Reset+Password&p_arg_checksums={PARSEDRESULT4}&p_t02=finisar_ws&p_t03=USERNAME&p_t04=PASSWORD&p_t05=&p_t06=&p_t07=&p_t08=&p_md5_checksum=&p_page_checksum={PARSEDRESULT5}
verifypositive: Application
url: http://oracle.web.forum:7030/ords/
parseresponse: p_instance
parseresponse1: p_instance
parseresponse2: p_page_submission_id
parseresponse3: p_arg_names
parseresponse4: p_arg_checksums
parseresponse5: p_page_checksum
verifyresponsecode: 302
verifypositive: Express Login
step: Login Check
url: http://oracle.web.forum:7030/ords/wwv_flow.accept
postbody: p_flow_id=4550&p_flow_step_id=1&p_instance=[{PARSEDRESULT}]&p_page_submission_id={PARSEDRESULT2}&p_request=LOGIN_BUTTON&p_arg_names={PARSEDRESULT3}&p_t01=Reset+Password&p_arg_checksums={PARSEDRESULT4}&p_t02=finisar_ws&p_t03=USERNAME&p_t04=PASSWORD&p_t05=&p_t06=&p_t07=&p_t08=&p_md5_checksum=&p_page_checksum={PARSEDRESULT5}
verifypositive: Application
===========================================================
Starting WebImblaze Engine...
-------------------------------------------------------
Test: tests/hello.test - 10
Get Loaded Home Page
Verify Positive: "Express Login"
Verify Response Code: "302"
Failed Positive Verification 0
Passed HTTP Response Code Verification
TEST STEP FAILED
Response Time = 0.459 sec
-------------------------------------------------------
Test: tests/hello.test - 20
Login Check
Verify Positive: "Application"
Failed Positive Verification 0
Response Time = 0.459 sec
-------------------------------------------------------
Test: tests/hello.test - 20
Login Check
Verify Positive: "Application"
Failed Positive Verification 0
Passed HTTP Response Code Verification
TEST STEP FAILED
Response Time = 0.431 sec
-------------------------------------------------------
Start Time: Wed 06 Feb 2019, 14:42:48
Total Run Time: 0.972 seconds
Total Response Time: 0.890 seconds
Test Steps Run: 2
Test Steps Passed: 0
Test Steps Failed: 2
Verifications Passed: 4
Verifications Failed: 2
Response Time = 0.431 sec
-------------------------------------------------------
Start Time: Wed 06 Feb 2019, 14:42:48
Total Run Time: 0.972 seconds
Total Response Time: 0.890 seconds
Test Steps Run: 2
Test Steps Passed: 0
Test Steps Failed: 2
Verifications Passed: 4
Verifications Failed: 2
Tim Buckland
Feb 6, 2019, 3:32:16 PM2/6/19
to WebInject
Do you know if there is a similar web forum to your available on the internet? It is really hard to guess what to do without seeing anything.
Some general comments - instead of getting a page that is going to redirect straight away, just go to the final destination in the first place. In your example that looks to be
It is the form that should contain the data you need to parse, not the initial url that you get that redirects.
How you parse the data depends on how it appears on the form page.
If you were trying to parse the value for request_id for the following example:
<input type="hidden" name="request_id" value="3481334601766614495">
Then you would write:
parseresponse1: name="request_id" value="([^"]+)"
Now the variable {1} would contain the required value.
WebImblaze has a mode that attempts to parse the data automatically, so something like this might work, but it depends on the actual login form:
step: Get login form
verifypositive: Express Login
step: Post login details
postbody: p_flow_id=4550&p_flow_step_id=1&p_instance={DATA}&p_page_submission_id={DATA}&p_request=F4550_P1_PASSWORD&p_arg_names={DATA}&p_t01=Reset Password&p_arg_checksums={DATA}&p_t02=oracle_ws&p_t03=USERNAME&p_t04=PASSWORD&p_t05=&p_t06=&p_t07=&p_t08=&p_md5_checksum=&p_page_checksum={DATA}
verifypositive: Application
There are many examples on parseresponse in the manual: https://github.com/Qarj/WebImblaze/blob/master/MANUAL.md#parseresponse
I recommend learning how to make regular expressions, and you test them here: https://regex101.com/
On Tuesday, 5 February 2019 16:48:08 UTC, Ankam Ravi Kumar wrote:
Tim Buckland
Feb 7, 2019, 1:34:02 AM2/7/19
to WebInject
Ok, I got this to work without too much trouble on the public oracle APEX demo page, I think it might be a newer version of the framework than what you are using, but it gives you an idea how to do it.
Here are the steps (some details __REMOVED__ as indicated):
step: Get login page
verifyresponsecode: 302
parseresponseREDIRECT: Location: ([^\n]+)
step: (redirect) Get login page
url: {REDIRECT}
parseresponseSALT: value="([^"]+)" id="pSalt"
parseresponsePROTECTED: id="pPageItemsProtected" value="([^"]+)"
parseresponseCK: data-for="P1_RESET_PASSWORD_LABEL" value="([^"]+)"
parseresponsePAGE_ID: name="p_page_submission_id" value="([^"]+)"
parseresponseINSTANCE: value="([^"]+)" id="pInstance"
verifypositive: Remember workspace and username
step: Build JSON
varP_JSON: {"salt":"{SALT}","pageItems":{"itemsToSubmit":[{"n":"P1_RESET_PASSWORD_LABEL","v":"Reset Password","ck":"{CK}"},{"n":"F4550_P1_COMPANY","v":"__REMOVED__"},{"n":"F4550_P1_USERNAME","v":"__REMOVED__"},{"n":"F4550_P1_PASSWORD","v":"__REMOVED__"},{"n":"F4550_P1_REMEMBER","v":[]},{"n":"P1_NEXT_APP","v":""},{"n":"P1_NEXT_PAGE","v":""},{"n":"P1_NEXT_ITEMS","v":""},{"n":"P1_NEXT_VALUES","v":""}],"protected":"{PROTECTED}","rowVersion":""}}
step: Debug - examine JSON
shell: echo {P_JSON}
step: Post username and password
postbody: p_json={P_JSON}&p_flow_id=4550&p_flow_step_id=1&p_instance={INSTANCE}&p_page_submission_id={PAGE_ID}&p_request=LOGIN_BUTTON&p_reload_on_submit=A
parseresponseREDIRECT: Location: ([^\n]+)
verifyresponsecode: 302
step: Get logged in home page
url: {REDIRECT}
verifypositive: News and Messages
You can create your own free workspace at https://apex.oracle.com/en/ and substitute in your own workspace, username, and password and you'll see that the script works.
On Tuesday, 5 February 2019 16:48:08 UTC, Ankam Ravi Kumar wrote:
Ankam Ravi Kumar
Feb 7, 2019, 8:04:35 AM2/7/19
to WebInject
Yes, your correct we are using Oracle APEX however its an old version of it.
Product Build: 4.2.5.00.08
Schema Compatibility: 2012.01.01
Schema Compatibility: 2012.01.01
I was testing with my test workspace here are the details
WorkSpace: arkit
User Name: aravik...@gmail.com
Password: Test@123
i notice that web response code is 501 instead of 302.
Tim Buckland
Feb 7, 2019, 4:04:24 PM2/7/19
to WebInject
The credentials you gave don't work when I try to use them manually, I get an "Invalid Login Credentials" message
WORKSPACE: arkit
USERNAME: aravik...@gmail.com
PASSWORD: Test@123
Reply all
Reply to author
Forward
0 new messages