vegeta-server icon indicating copy to clipboard operation
vegeta-server copied to clipboard

Published 20 hours ago verified publisher icon nitishm

Support Insecure Verify

Open alleeclark opened this issue 4 years ago • 1 comments

When submitting an attack request with insecure for TLS configuration set to true does not get set. By default in the go language if insecure is not set, it will look to verify TLS if the target is serving https. This propose change sets insecure regardless if certs are found or not which is done in the vegeta library https://github.com/tsenart/vegeta/blob/19b74586217105bbde8ded6077c70095e97146bf/attack.go#L43 .

To Reproduce: Submit an attack where insecure is true curl --header "Content-Type: application/json" --request POST --data '{"rate": 5,"duration":"10s","body":"eyJ1c2VyX2lkIjWJhOjYmFhOCJ9Cg==","insecure":true,"target":{"method":"POST","URL":"https://localhost:8500/login","scheme":"http"}}' http://localhost:8080/api/v1/attack

View the report of the attack

curl http://localhost:8080/api/v1/report/e9bee353-6b6a-4cdf-8a3f-0e5d644fee43

{"id":"e9bee353-6b6a-4cdf-8a3f-0e5d644fee43","latencies":{"total":0,"mean":0,"max":0,"50th":0,"95th":0,"99th":0},"bytes_in":{"total":0,"mean":0},"bytes_out":{"total":0,"mean":0},"earliest":"2020-09-08T15:49:57.159557136-04:00","latest":"2020-09-08T15:50:06.95966272-04:00","end":"2020-09-08T15:50:06.95966272-04:00","duration":9800105584,"wait":0,"requests":50,"rate":5.101985848155735,"success":0,"status_codes":{"0":50},"errors":["Post \"https://localhost:8500/login\": x509: certificate signed by unknown authority"]}

Expected behavior: Status codes should return a non zero value as well as no errors from the request.

After building and running the change the expected output returned {"id":"feb089a7-b6ab-49bf-bc9f-0b45e9c6721a","latencies":{"total":991264253,"mean":19825285,"max":24151538,"50th":19546985,"95th":23186075,"99th":24151538},"bytes_in":{"total":0,"mean":0},"bytes_out":{"total":2600,"mean":52},"earliest":"2020-09-08T14:00:13.920450625-04:00","latest":"2020-09-08T14:00:23.718906389-04:00","end":"2020-09-08T14:00:23.73893505-04:00","duration":9798455764,"wait":20028661,"requests":50,"rate":5.102844897631973,"success":1,"status_codes":{"200":50},"errors":[]}

alleeclark avatar Sep 09 '20 13:09 alleeclark

After running make validate a new lint error showed due to my change:

pkg/vegeta/vegeta.go:18:2: if statements should only be cuddled with assignments used in the if statement itself (wsl)
	if key != "" && cert != "" {
	^

What are the recommendations? Should I just set insecure in attackWithOpts

alleeclark avatar Sep 09 '20 13:09 alleeclark