Json http respone, if else statement - c++

I CANNOT ALTER THE JSON RESPONSE, SHOWN BELOW.
I want to be able to detect when the POST message was successfully entered into the database. When the data is successfully entered the response is:
{"status":"success","message":"successfully inserted"}
I want to then use an if-else statement in Arduino to detect when this is received from the server. So my code will look something like this:
while(client.available())
{
String line = client.readStringUntil('\n');
Serial.print(line);
Serial.print("\n");
if(line == "{"status":"success","message":"successfully inserted"}")
{
update_var++;
Serial.print("SUCCESSFUL");
break;
}
else
{
Serial.print("UNSUCCESSFUL");
}
}
However, a problem immediately arises in the if statement. This is due to the quotation marks also appearing in the string. How do I use an if-else statement when receiving JSON response?

This just requires escaping if you're testing literally:
if (line == "{\"status\":\"success\",\"message\":\"successfully inserted\"}")
Keep in mind this could just as easily have the keys swapped, there's no guarantee they'll be in that order. This is why using a proper JSON parser is imperative.

I recommend using a JSON library for parsing JSON but if that's not an option, I recommend comparing your String with a raw string literal (option 6 in the link) to avoid escaping of any character:
if(line == R"aw({"status":"success","message":"successfully inserted"})aw") {
// ...
}

Related

Regular expression not working inside string

I need to validate JSON through cucumber and this JSON is generated run time. JSON is like below.
{
"k1":["A", "B1234"]
}
Here 1234 is any random number appended with B.
I am using below template to validate any JSON like above-
{
"k1":["A", "B[0-9]+"]
}
But this is not working. I am getting message like Unable to validate JSON.
Any suggestion is highly appreciated.
Thanks
Use this
{
"k1":["A", "B\[0\-9\]\+"]
}
it should work.

CloudWatch Metric Filter for checking JSON key exists

I'm trying to come up with a metric filter expression that filters CloudWatch Logs when a special JSON key attribute is present.
Use case is the following: the application does all kinds of logging(in JSON format) and whenever it has a special JSON key(nested JSON response from third-part service), I would like to filter it.
Example logs:
{"severity":"INFO","msg":"EVENT","event":{"key1":"value1"}}
{"severity":"INFO","msg":"FooService responded","response":{"response_code":800}}
Filter patterns that I've tried that don't work:
{ $.response }
{ $.response = *}
{ $.response = "*"}
{ $.response EXISTS }
{ $.response IS TRUE }
{ $.response NOT NULL }
{ $.response != NULL }
Expected filtering result:
{"severity":"INFO","msg":"FooService responded","response":{"response_code":800}}
{ $.response EXISTS } does the opposite of what I expect(returns the 1st line rather than then 2nd) but I'm not sure how to negate it.
Reference material: Filter and pattern syntax # CloudWatch User Guide
I haven't found a good solution.
But I did find one at least.
If you search for a key being != a specific value, it seems to do a null check on it.
So if you say:
{$.response != "something_no_one_should_have_ever_saved_this_response_as"}
Then you get all entries where response exists in your json, and where it's not your string (hopefully all of the valid entries)
Definitly not a clean solution, but it seems to be pretty functional
I don't have a solution to the task of finding records where a field exists. Indeed, the linked document in the question specifically calls this out as not supported.
but
If we simply reverse our logic this becomes a more tractable problem. Looking at your data, you want All records where there's a response key but that could also be stated as All records where there isn't an events key.
This means you could accomplish the task with {$.event NOT EXISTS}. Of course, this becomes more complicated the more types of log messages you get (I had to chain three different NOT EXISTS queries for my use case) but it does solve the problem.

xss exploit on hardcoded message string

New to pentesting. I ran a vulnerability analysis that points the application that I am testing has quite a few xss vulnerability.
Now how to proceed from here?
Report Screenshot
Source Code :
if(Name !=null)
{
if(Name.equals(server))
{
String appName = request.getParameter("appName");
if(appName !=null && appName.equals(CommonUtil.getProductName()))
{
message = addProductDetails(request, productName, message);
}
}
else if(Name.equalsIgnoreCase(test))
{
ADSMPersUtil.updateSyMParameter("IS_INTEGRATED", "true");
message = "Successfully Integrated";//No I18N
}
else{message = addProductDetails(request, productName, message);}
}
PrintWriter out = response.getWriter();
response.setContentType("text/html");//No I18N
out.println(message);
out.close();
}
catch(Exception e){e.printStackTrace();}
}
If message is not HTML, then it needs to be HTML encoded before being inserted into a HTML stream. Characters like <, >, ", ', & need to be converted to their corresponding HTML entities.
With JSP, then the <c:out> tag does this encoding, and other templating languages have similar ways of doing this.
When writing to the OutputStream directly from Java, then you can use Java methods to do the escaping. See: Recommended method for escaping HTML in Java
If message is already HTML, then the code that generates the HTML similarly needs to escape any data values inserted within it.
With constant strings that don't contain any of these special characters, then you can treat it as a HTML string, or a plain-text string. It's more robust to escape these Strings anyway when outputting them, which prevents any XSS issues from being introduced if the strings change in the future, especially if they're being created in other methods.

postman: Is there any way to figure out the data file type/name during execution?

I need to create pre-request scripts that adapt behavior based on whether data is sourced via json or csv files.
Is there any runtime mechanism to determine the data file type or the name of the data file?
Something that helps me do the following,
if (data.fileType === "json") {
//data interpretation as per json hierarchy
} else {
//data interpretation as per csv structure
}
Here, what can I use to replace data.fileType?
Or is it possible to figure out data.fileName?
You can try parsing data as json.
var parsedData;
try {
parsedData = JSON.parse(data); // Will throw an error if data not JSON
// Your logic to parse data as JSON goes here
} catch (e) {
parsedData = data; // data is not JSON, check for CSV
// Your logic to parse as CSV goes here
}

Pulling multiple values from JSON response using RegEx Extractor

I'm testing a web service that returns JSON responses and I'd like to pull multiple values from the response. A typical response would contain multiple values in a list. For example:
{
"name":"#favorites",
"description":"Collection of my favorite places",
"list_id":4894636,
}
A response would contain many sections like the above example.
What I'd like to do in Jmeter is go through the JSON response and pull each section outlined above in a manner that I can tie the returned name and description as one entry to iterate over.
What I've been able to do thus far is return the name value with regular expression extractor ("name":"(.+?)") using the template $1$. I'd like to pull both name and description but can't seem to get it to work. I've tried using a regex "name":"(.+?)","description":"(.+?)" with a template of $1$$2$ without any success.
Does anyone know how I might pull multiple values using regex in this example?
You can just add (?s) to the regex to avoid line breaks.
E.g: (?s)"name":"(.+?)","description":"(.+?)"
It works for me on assertions.
It may be worth to use BeanShell scripting to process JSON response.
So if you need to get ALL the "name/description" pairs from response (for each section) you can do the following:
1. extract all the "name/description" pairs from response in loop;
2. save extracted pairs in csv-file in handy format;
3. read saved pairs from csv-file later in code - using CSV Data Set Config in loop, e.g.
JSON response processing can be implemented using BeanShell scripting (~ java) + any json-processing library (e.g. json-rpc-1.0):
- either in BeanShell Sampler or in BeanShell PostProcessor;
- all the required beanshell libs are currently provided in default
jmeter delivery;
- to use json-processing library place jar into JMETER_HOME/lib folder.
Schematically it will look like:
in case of BeanShell PostProcessor:
Thread Group
. . .
YOUR HTTP Request
BeanShell PostProcessor // added as child
. . .
in case of BeanShell Sampler:
Thread Group
. . .
YOUR HTTP Request
BeanShell Sampler // added separate sampler - after your
. . .
In this case there is no difference which one use.
You can either put the code itself into the sampler body ("Script" field) or store in external file, as shown below.
Sampler code:
import java.io.*;
import java.util.*;
import org.json.*;
import org.apache.jmeter.samplers.SampleResult;
ArrayList nodeRefs = new ArrayList();
ArrayList fileNames = new ArrayList();
String extractedList = "extracted.csv";
StringBuilder contents = new StringBuilder();
try
{
if (ctx.getPreviousResult().getResponseDataAsString().equals("")) {
Failure = true;
FailureMessage = "ERROR: Response is EMPTY.";
throw new Exception("ERROR: Response is EMPTY.");
} else {
if ((ResponseCode != null) && (ResponseCode.equals("200") == true)) {
SampleResult result = ctx.getPreviousResult();
JSONObject response = new JSONObject(result.getResponseDataAsString());
FileOutputStream fos = new FileOutputStream(System.getProperty("user.dir") + File.separator + extractedList);
if (response.has("items")) {
JSONArray items = response.getJSONArray("items");
if (items.length() != 0) {
for (int i = 0; i < items.length(); i++) {
String name = items.getJSONObject(i).getString("name");
String description = items.getJSONObject(i).getString("description");
int list_id = items.getJSONObject(i).getInt("list_id");
if (i != 0) {
contents.append("\n");
}
contents.append(name).append(",").append(description).append(",").append(list_id);
System.out.println("\t " + name + "\t\t" + description + "\t\t" + list_id);
}
}
}
byte [] buffer = contents.toString().getBytes();
fos.write(buffer);
fos.close();
} else {
Failure = true;
FailureMessage = "Failed to extract from JSON response.";
}
}
}
catch (Exception ex) {
IsSuccess = false;
log.error(ex.getMessage());
System.err.println(ex.getMessage());
}
catch (Throwable thex) {
System.err.println(thex.getMessage());
}
As well a set of links on this:
JSON in JMeter
Processing JSON Responses with JMeter and the BSF Post Processor
Upd. on 08.2017:
At the moment JMeter has set of built-in components (merged from 3rd party projects) to handle JSON without scripting:
JSON Path Extractor (contributed from ATLANTBH jmeter-components project);
JSON Extractor (contributed from UBIK Load Pack since JMeter 3.0) - see answer below.
I am assuming that JMeter uses Java-based regular expressions... This could mean no named capturing groups. Apparently, Java7 now supports them, but that doesn't necessarily mean JMeter would. For JSON that looks like this:
{
"name":"#favorites",
"description":"Collection of my favorite places",
"list_id":4894636,
}
{
"name":"#AnotherThing",
"description":"Something to fill space",
"list_id":0048265,
}
{
"name":"#SomethingElse",
"description":"Something else as an example",
"list_id":9283641,
}
...this expression:
\{\s*"name":"((?:\\"|[^"])*)",\s*"description":"((?:\\"|[^"])*)",(?:\\}|[^}])*}
...should match 3 times, capturing the "name" value into the first capturing group, and the "description" into the second capturing group, similar to the following:
1 2
--------------- ---------------------------------------
#favorites Collection of my favorite places
#AnotherThing Something to fill space
#SomethingElse Something else as an example
Importantly, this expression supports quote escaping in the value portion (and really even in the identifier name portion as well, so that the Javascript string I said, "What is your name?"! will be stored in JSON as AND parsed correctly as I said, \"What is your name?\"!
Using Ubik Load Pack plugin for JMeter which has been donated to JMeter core and is since version 3.0 available as JSON Extractor you can do it this way with following Test Plan:
namesExtractor_ULP_JSON_PostProcessor config:
descriptionExtractor_ULP_JSON_PostProcessor config:
Loop Controller to loop over results:
Counter config:
Debug Sampler showing how to use name and description in one iteration:
And here is what you get for the following JSON:
[{ "name":"#favorites", "description":"Collection of my favorite places", "list_id": 4894636 }, { "name":"#AnotherThing", "description":"Something to fill space", "list_id": 48265 }, { "name":"#SomethingElse", "description":"Something else as an example", "list_id":9283641 }]
Compared to Beanshell solution:
It is more "standard approach"
It performs much better than Beanshell code
It is more readable