I need help with the following, I am trying to get a get from a page (it brings a client information), but said page has a javascript that is executed to monitor, the idea is that when I do the get I also execute said script.
I have looked for some solutions but none is what I need. Is there a way to execute the javascript that is on the web when making the request?
thanks for te help.
Locust does not run javascript, it is not a real browser.
The best way to work around this is by reimplementing any client-side logic you need in Python (in your locust file).
If your javascript is very complex, you could try remote-controlling an actual browser using WebDriver. It is prohibitively resource-intensive on the load gen side and quite unstable (like WebDriver always is), but for low-load scenarios it can be done.
https://github.com/SvenskaSpel/locust-plugins/blob/master/examples/webdriver_ex.py
But the first option is the best in 99% of cases.
Related
There's a lot of mixed results when I search around for emulating a browser. Long story short, I need my Node server to do get & post requests. Usually I'd just do this with the http package. However, there is some anti-scripting things in place on the other side. Namely javascripts that let the server know it's a real browser. So, I need these to be executed.
I actually solved this problem like 5 years ago, but my site was only using PHP then. The solution involved using a Qt webkit widget, and a fake X-server. Not elegant, but it was pretty easy to do. The only javascript engines I found available in Perl, PHP, or Python at the time were crazy slow.
As NodeJS is built on V8, I gotta think there's an easy way to do this. For the record, I'm hoping to get something a la the following.
// Omitting some callbacks
http.get('http://remote.site', function(res) {
res.on('end', function() {
// previously accumulated data is the page returned by
// the request. Any thing found in a <script> tag would have
// been executed.
});
});
As NodeJS is built on V8, I gotta think there's an easy way to do this.
Actually, no! There's a lot more to running in the context of a browser than simply being able to execute JavaScript. All of the DOM stuff and what not is no present in Node.js. Node.js has the JavaScript engine only.
Without the browser engine, you won't know what scripts to load, in what order, or be able to provide everything that comes with the document or window, which is likely a required part of what you're trying to do.
The solution involved using a Qt webkit widget, and a fake X-server. Not elegant, but it was pretty easy to do.
This is actually the right solution... mostly. Fortunately these days there are existing tools which have optimized this reasonably well.
Take a look at PhantomJS. http://phantomjs.org/ You can write scripts for it much in the same way you do Node.js. (It supports require() and what not, and most of the NPM packages you'd want work.) PhantomJS will allow you to run the page and pull the DOM contents out easily.
In the event PhantomJS' built in JavaScript environment doesn't contain some Node.js component you need (for filesystem or network access for example), you can always control PhantomJS from your Node.js application. https://github.com/amir20/phantomjs-node
I want to write a PHP script which executes code on a foreign website just like using the JS-console on that webpage. I don't want the server to act like the client on that certain webpage.
To make it even more difficult, the JavaScript must be executed on a different frame (when executing the JavaScript manually I'd switch to the correct console by clicking on the specific Frame in the dropdown menu above the console (Chrome)).
If I try to do something nearly impossible here, please don't hesitate to tell me exactly that.
You should try to describe what your end goal is. You are probably going down the wrong path here. There is no way to add javascript to a page that you don't serve yourself.
If I understand what you mean (and more detail would really help here). You want to automate something that you can do manually on a browser yourself, by manually running javascript on a webpage (via the console). The only reason I can think you would want to do this is to trigger an Ajax request/API call or submit a form.
This is technically possible, but it would be better to look for an actual API that you can talk to directly; you could do this by inspecting the network tab of the developer tools, but if they don't have a public API you may have to do a fair amount to fake the request; and if anything changes on the server it could all stop working.
If they don't have an API that you can call, or if they have put measures in place. Then there is a good chance that you are trying to misuse a website; and they may well put further measures in place to stop you (this is why captchas exist).
If you can figure out the details of a request to send, then you could use CURL to make the request - this page may help: https://davidwalsh.name/curl-post
If you really still find that you need/want to actually run javascript on a remote page, then this is "browser automation", and while technically could be triggered from PHP - requires much more to make it possible. Selenium is primarily used to automate tests, but would allow you to do this: http://www.seleniumhq.org/ via JavascriptExecutor but I would recommend you do some futher searches for tutorials, as it's too large/broad to really cover here:
https://seleniumhq.github.io/selenium/docs/api/java/org/openqa/selenium/JavascriptExecutor.html
I wanna know, is there a way to compress javascript with a method that cannot be easily uncompressed by another?
I have used some tools like jscompress and other products. They're nice and useful, but they provide methods to uncompress/decode script too. The problem is other programmer or maybe hacker, can easily uncompress my script, the impact is my js ajax link, variable can be seen by the hacker. You know that what happen if they found our link. Maybe post direct value via ajax etc.
There is not a way to do this in client side javascript, it is inherently insecure. You should be using a call on your server to hide your API key.
FAQs from the w3:
http://www.w3.org/Security/faq/wwwsf2.html
If by your question you mean that you do not want the variables and Ajax links in your script to even be accessed by others ever, then you are talking about encryption, not just compression.
If the code was truly encrypted so that the Ajax links were not recoverable, the browser could not decrypt and therefore not even execute the script.
Obfuscators will make your code fairly illegible, but you are not going to be able to hide destination URLs in Ajax calls from hackers. All one needs to do is look at the browser's developer tools and watch the network calls.
It's important to design your application with the assumption that users and hackers are able to see all the JavaScript. If you can keep it secure under these conditions, that's ideal.
So if the question is just about making your code hard to read, obfuscate. But the kind of security you seem to be asking about needs to be done server side.
I wanted to hide some business logic and make the variables inaccessible. Maybe I am missing something but if somebody can read the javascript they can also add their own and read my variables. Is there a way to hide this stuff?
Any code which executes on a client machine is available to the client. Some forms of code are harder to access, but if someone really wants to know what's going on, there's no way you have to stop them.
If you don't want someone to find out what code is being run, do it on a server. Period.
That's one of the downsides of using a scripting language - if you don't distribute the source, nobody can run your scripts!
You can run your JS through an obfuscator first, but if anyone really wants to figure out exactly what your code is doing, it won't be that much work to reverse-engineer, especially since the effects of the code are directly observable in the first place.
Javascript cannot be compiled, that is, it is still Javascript.
But, there's this: http://dean.edwards.name/packer/
Generally, this is used to reduce the code footprint of the Javascript, if say your script is being downloaded thousands of times per minute. There are other methods to accomplish this, but as for hiding the code this sort of works.
Granted, the code can be unpacked. This will keep out a novice but anyone who is determined to read your source code will find a way.
It is even this way with compiled languages, even when they have been obfuscated. It's impossible to hide your code 100% of the time -- if it executes on your machine, it can be read by a determined hacker.
You could encrypt it so no one can read it.
For example
http://daven.se/usefulstuff/javascript-obfuscator.html
You must always validate the data you send back. I've had a rather entertaining time playing pranks on a forum I'm a mod of by manipulating the pages with the Web Developer Toolbar. Whether or not you obfuscate it, always assume that data coming to the server has been intentionally manipulated. Only after you prove it hasn't (or verify the user has permission to act) do you handle the request.
I'm currently using cURL to do HTTP requests, and it works fine. However I need to get the javascript code and execute it in the context of the HTML, making it manipulate the DOM exactly as if it were a web-browser.
The first thing that came to mind was to use firefox, there's a command-line interface so I thought it would be easy (maybe with some add-on) to programmatically do an HTTP request, let it natively run the javascript and manipulate the DOM, and get the generated HTML after the manipulation.
However this is harder than I expected, given also the fact that there's going to be problems fetching the data asynchronously.
Maybe someone has done this already and could give me some tips on what would be the best solution.
You could probably use Selenium remote control to achieve this.
I would recommend Watir
Watir, pronounced water, is an open-source (BSD) family of Ruby libraries for automating web browsers. It allows you to write tests that are easy to read and maintain. It is simple and flexible.
This is what you want to use for something like this:
http://code.google.com/p/envjs/