Encrypt Password in WebHTTP Protocol

Hi,

Please help me with this scenario.

Protocol: WebHTTP

1000s of plain text passwords are stored in Cyberark where we fetch the passwords using web_reg_save_param function from Vugen script. When we look at the output log in Vugen, plain text password is visible. We want to encrypt the password which is fetched from cyberark so that actual password is not shown in the Vugen output log.

Below is the log from Vugen where Password_Param is captured from server response (Cyberark) and p_UserName is from parameter file which is being passed from dat file. How can I encrypt each password from cyberark while it is being fetched. I can decrypt using lr_unmask function. 

Action.c(37): web_custom_request("web_custom_request") was successful, 336257 body bytes, 4450 header bytes  	[MsgId: MMSG-26386]
Action.c(47): Notify: Transaction "AUT_Login" ended with a "Pass" status (Duration: 0.5313 Wasted Time: 0.1064).
Action.c(53): Notify: Parameter Substitution: parameter "p_UserName" =  "192.168.0.10-TestAccount10"
Action.c(53): Notify: Parameter Substitution: parameter "Password_Param" =  "BearsWillWinSuperBowl10"

  • 0  

    ,

    That will be hard to do. The only way is to disable logging. Using lr_unmark() is just a way to mask. Every one that can copy that text can revert it to original text. You might store the passwords in a masked way (lr-function) in Cyberark.

    Consider what you want to protect. Using Cyberark is a nice way to store PWs, so you do not need to store those in script and therefor they do not end in a repository, but any one how can replay your script with VuGen, can figure out what the passwords are.

    One way to handle it might be to give all those test user a password that expires after the test (valid for one day). You need then another authorization process that assigns all users new passwords just before test starts.

    For API testing we use rotating keys, those are uploaded to VTS for the test as a separate step. But it is hard to protect password handling in performance testing.

    I've never found a solid solution.

    How to ask questions

    Reward contributions via likes or 'verified answers'

  • 0 in reply to   

    Thank you  for your response.

    So, there is no way I can mask password and then unmask it while passing in the request? I'm aware that any user who runs Vugen script will be able to unmask password to view the actual password, however I'm trying to mask password so it doesn't show the clear text password in the vugen log.

  • Suggested Answer

    0   in reply to 

    When Cyberark is used as a password vault, you might store there the passwords according LR's mask. You can then retrieve the password (including logging) as a masked password and unmask it in your code. When you do that without any help of LR parameters they are likely not logged. (You might see still the pw when you enable full logging though: see all messages send).

    Action()
    {
        char * pw_unmasked;
        char pw_buffer[128];
        
        . . .    
        // Get your masked PW
        . . .
        
        pw_umasked = lr_unmask(lr_eval_string("{Password_Param}");
        
        // now use it in your login call. Note when you need to add the pw into a 
        // larger string, you might need to do some more string handling.
        // E.g. create a basic authentication header value.
        sprintf(pw_buffer, lr_eval_string("BASIC {p_UserName}:%s"), pw_unmasked);
        web_add_header("Authorization", pw_buffer);

    How to ask questions

    Reward contributions via likes or 'verified answers'