Stress and Penetration: Test Your App to The Next Level with Yuk Recycle
As a software developer, testing our app is another very important task besides developing features. Tests such as unit test, functional test, integration test might fulfill the product’s requirement criteria. Is that it?
No. In order to assure our product could run smoothly in production, there are a lot more tests that we need to do. In this blog we will review our under-developed product Yuk-Recycle to meet certain tests — stress and penetration tests.
More on Stress Test
What is it
Stress test will benchmark how much requests that our app can maintain in a given time or duration. The test mainly determines the system on its robustness and error handling under extremely heavy load conditions.
Why do we need it
Consider the following scenarios:
1. One-hour-only sales event in an online shopping app in Indonesia
2. Selecting courses for next term via academic website, in one day, with more than 30k students accessing in the same time
There are some cases or time when our app will be at its peak of demanding requests. To avoid any catastrophic problem, the app should handle this issue.
To maintain requests as many as possible is of course related to how much scalable our app is. We can look at how the software architecture is built, how many components are there, and how powerful each component is. But, not only architecture, a good programmed software can also help reduce the load for our hardwares.
How we do it
In this blog, we will attemp a stress test using wrk tool to Yuk-Recycle app.
https://github.com/wg/wrk/
We will attempt stress tests on our given server with IP address: http://152.118.201.222, on Docker port: 21414.
Our first attempt runs a benchmark for 30 seconds, using 12 threads, and keeping 400 HTTP connections open.
Looking at the statistics, there doesn’t seem any issue on our first attemp. So let’s bump our test to see if our app could hold up.
Our second attempt runs a benchmark for 60 seconds, using 20 threads, and keeping 1000 HTTP connections open.
Looking at the statistics for our second attempt, looks like there is some issue rises. In 60 seconds of our tests, we received 1008 timeouts. This means in this attempt, our Yuk-Recycle (server) app is not able to maintain this much traffic, thus rises timeouts for any request that our app cannot handle at the moment.
More on Penetration Test
What is it
Penetration test is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in — either virtually or for real — and reporting back the findings.
Why do we need it
Security measure is one of our priority as developers. In Yuk-Recycle, we want to deliver the product not only fulfilling the criteria, but also could maintain in a long run when the product is launched.
What kind of test
There are many kind of security breach in a software app such as injection, broken authentication, sensitive data exposure, etc. What we want to test in this article is injection.
We will perform a penetration test on SQL injection to Yuk-Recycle. SQL injection is an security injection specifically on SQL contexts.
Let’s try a little simulation here on what SQL injection could do:
User X wants to login to our app. User X uses Customer App and fill up the login fields with username: iamX and password: Xisthebest, then enters the login button.
Our app service then handles user X’s input. It will perform a query to check whether user X’s username and password exists in our database — Customer table.
The SQL syntax query to retrieve any data in Customer table with given conditions looks like this:
SELECT * FROM customers WHERE username='iamX' AND password='Xisthebest';Output of the query will consist of an array of records of any customer with given specific customer and password. If there is exists one or more records, then user X is valid to login into our app.
BUT, let’s consider this next case of user Y trying to login to Customer app.
User Y wants to login to our app. User Y uses Customer App and fill up the login fields with username: ‘ OR 2 = 2 - - # and password: “Ywashere”, then enters the login button.
The SQL syntax query to retrieve any data in Customer table with given conditions looks like this:
SELECT * FROM customers WHERE username=''OR 2 = 2 -- #' AND password='Ywashere';Symbol two-dashes is the syntax for SQL to comment out the next lines of SQL command. In this case, user Y tries to comment out the condition for password.
If we translate the SQL above to what would our app reads, will be like this:
SELECT * FROM customers WHERE username='' OR 2 = 2In this SQL syntax, it will perform a condition TRUE because of the OR operator. In consequences, our app will select all the customer data. So there is exist record with the username and password given by user Y. Then user Y is valid to login to our app.
How we do it
Back to penetration test. We will perform the test using this tool called sqlmap to make it easier.
Simply run this command to perform the SQL injection test:
sqlmap.py -u http://152.118.201.222:21414/api/v1/customer/login --data="{\"email\":\"email\", \"password\":\"password\"}"
Given the logs, there doesn’t seem any injection breach in Yuk-Recycle app, especially in Customer login.
Let’s try increase the level of injection to level 3. Here’s the result.
Looking at the last line of level-3 SQL injection performed to Yuk-Recycle app.
[05:27:53] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401)We have one case that successfully injected our Customer login.
[05:27:39] [INFO] testing for SQL injection on User-Agent parameter 'User-Agent'Conclusion
In this article, as we can review one test by another, it seems that our currently-developed Yuk-Recycle app still remains improvement. We will of course try to review our stress test and penetration test in the future once or a few more.
Thank you for reading this article!
