Guide to handle Crypto.js Encryption / Decryption in Apache JMeter

Howdy People !. . Thanks for your presence again here in reading another interesting article on JMeter about handling encryption decryption using crypto.js

Introduction:

crypto.js is a JavaScript library which provides cryptographic functions including encryption, decryption and hashing functions. crypto.js is licensed under the MIT license. This library’s purpose is to perform cryptographic operations in an easy-to-use syntax, providing functions for you instead of writing vanilla JavaScript code to perform the same functionality.

The modern Tech Stack uses this library as part of client side resources. This allows the browser to perform encryption, decryption in the client side without sending the data to a server for processing. This provides an efficient/secure and reliable way of exchanging tokens and other information in an encrypted form.

Crypto.js Features and Support

crypto.js provides various range of encryption or decryption mechanism during the run time. Some of the renowned encryption/decryption mechanisms in crypto.js are:

  • aes encrypt
  • aes decrypt
  • hmac-sha256
  • sha1
  • sha3
  • sha224
  • sha256
  • sha384
  • sha512
  • ripemd160
  • md5

Problem statement

Since the crypto.js mechanisms occurs in client side, we will be given with dynamic value(s) in the request body — which will not be present in any of the server’s response.

Solution

The solution is to use the same version of crypto.js in our script and use of manual functions to generate the encryption / decryption and then pass the generated value in the script to mimic the exact browser behavior.

Downloading Crypto.js

It is recommended to identify the exact crypto.js library version, which the application uses. To identify, either we can check with the developer or we can identify that using developer tools option.
1. Get the appropriate crypto.js from the network capture.
2. If not, you can download it from the internet — the below archives will allow you to get the required crypto.js library version.

Tags · brix/crypto-js (github.com)

Best Practices in using JS in JMeter

To invoke any js library, one must follow the best practices — so that it will be easier for maintaining the script.

  1. Create a directory i.e, scripts and save the jmx into it
  2. Create a sub directory i.e, js and save the crypto.js library into it
  3. It is always recommended to start the JMeter from the place where jmx file is present
  4. Use the crypto.js in your JMeter sampler to invoke the encryption/decryption function as like the browser

Importing Crypto.js inside sampler

The one of the best way to import the js library is via JSR223 element — We can use JSR223 pre-processor / JSR 223 post-processor / JSR223 sampler.
In this demo, we are using JSR223 pre-processor to perform the operations in our scenario.

To import the library, we need to use load keyword in JSR223 and map the full filepath. see below,

To call any function, you can use the function keyword to

//Create HMACSHA256 and convert to Base64 hash

function getHashValue(message, secret) {
var hash = CryptoJS.enc.Base64.stringify(CryptoJS.HmacSHA256(message, secret));
hash = hash.replace(/\//g, ‘_’).replace(/\+/g, ‘-’).replace(/\=/g,’’);
return hash;
}

To invoke the above call it like below, where message and secret are variables
getHashValue(message, secret);

Demo Code

The below demo code implements the signature creation.
It uses AppId, Secret and version to generate hashvalue, which comprises of HmacSHA256 algorithm creation, base64 encryption and some custom implementation.

The generated signature is stored to a variable and can be used in the subsequent samplers

vars.put() → This function is used to store a variable to parameter

Conclusion:

As I usually say, JMeter is an exceptionally great tool. we can always customize it to make it possible for all our testing solution needs.

Hope you enjoyed this article !.
Will come up with another unique article.

Keep supporting, Click on follow button and hit the subscribe to get the notification on new article publish.

Stay positive, Happy engineering !

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store