Skip to content
This repository has been archived by the owner on Aug 31, 2018. It is now read-only.

Running Your First Test

Jump to bottom
Scott Behrens edited this page Jul 24, 2017 · 1 revision

Overview

This section walks through running your first exercise. Note: You will need to supply your own URLs for the test, as conducting load testing on applications you do not own may be illegal.

Configuration

Let's first take a look at our sample commands.json we'll use for this test:

{
  "hostname": "www.netflix.com",
  "urls": [
    "https://www.netflix.com/?foo=$$AUTH$$",
    "https://www.netflix.com/geo?test"
  ],
  "perform_sanity_check": true,
  "sanity_check_url": "https://www.netflix.com/account/geo",
  "verb": "POST",
  "post_data": "example.json",
  "ttl": 300,
  "threads": 3,
  "one_url_per_agent": true,
  "headers": "default",
  "start_time": "01:59:00",
  "use_auth": true,
  "auth_store_count": 3,
  "auth_store_name": "tokens",
  "use_with_kraken": false,
  "sns_region": "us-west-2",
  "sns_topic": "arn:aws:sns:us-west-2:230498293084:grizzly",
  "proxy": false,
  "proxy_config": "127.0.0.1:8080"
}

We can see we're conducting a test against www.netflix.com. This test will use POST including post data specified in the example.json file. It will run for a ttl of 300 seconds, with 3 threads. It will use authentication objects found in the tokens file and replace them in each location the $$AUTH$$ place holder is identified. The test will start at 1:59am. We are not using Cloudy Kraken for this test and have set it to false. We are specified to only use one url per grizzly, so one url will be selected.

Let's look at the authentication objects found in authentication/tokens:

["802057ff9b5b4eb7fbb8856b6eb2cc5b", "8343259602b5b4eb7fbb88542098cc5b", "990387430b5b4eb7fbb8856b6eb2cc5b"]

Each token will be replaced wherever the $$AUTH$$ placeholder is identified.

Let's look at the post data found in post_data/example.json:

{"foo": {"bar": [1,10000]}, "auth_token": "$$AUTH$$"}

We'll be replacing that auth placeholder with all 3 tokens.

Run the Test

> source grizzly/bin/activate
> python grizzly.py

Tool output:

Test is starting
Executing Test on www.netflix.com with 3 threads via ['https://www.netflix.com/geo?test'] url(s) for 300 seconds
Attack starts at: 01:59:00 in -33089 seconds
Attack Executing!


{"url": "https://www.netflix.com/account/geo", "timestamp": "2017-07-24 11:10:29.845521", "agent": 1, "exception": "200"}
Sanity check passed: 200 OK
{"elb": ["https://www.netflix.com/geo?test"], "status_codes": {"200": 15}, "timestamp": "2017-07-24 11:10:34.152223", "agent": 1}
{"elb": ["https://www.netflix.com/geo?test"], "status_codes": {"200": 24}, "timestamp": "2017-07-24 11:10:39.156069", "agent": 1}

If you want to look a little more into what's going across the wire, you can enable proxy and leverage a tool like Burpsuite.

  "proxy": true,
  "proxy_config": "127.0.0.1:8080"
Clone this wiki locally