Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Tests] Functional tests for JS Challenge #923

Closed
17 tasks done
vankoven opened this issue Feb 22, 2018 · 3 comments · Fixed by tempesta-tech/tempesta-test#551
Closed
17 tasks done

[Tests] Functional tests for JS Challenge #923

vankoven opened this issue Feb 22, 2018 · 3 comments · Fixed by tempesta-tech/tempesta-test#551
Assignees
@RomanBelozerov @EvgeniiMekhanik
Labels
crucial test
Milestone
0.8 - Beta

Comments

@vankoven
Copy link
Contributor

vankoven commented Feb 22, 2018
edited by RomanBelozerov
Loading

Need to implement functional tests for #536 . Pay attention to #536 (comment) : not all the requests may be challenged.
See https://github.com/tempesta-tech/tempesta/blob/master/tempesta_fw/http.c#L2140-L2154 for more information how TempestaFW responds to sticky cookie and JS challenge violations.

The test must implement following cases:

Client side:

  • legitimate client: send request with cookie set just in time
  • legitimate client: send request at any time during delay_limit
  • legitimate client with pipelined requests. First request can be challenged, others - not (e.g. images). Agent send all requests pipelined (not allowed by standard but a good testcase). All requests must be responded to keep response-request pairing consistent on client side, so client must be able to get the resource in the same connection after it's authorised. After discussion we decide, that we should answer with redirect for all pipelined requests.
  • attacker: bomb requests with cookies. Client mustn't be authorized until cookie_timestamp + delay_min + cookie_timestamp % delay_range . Keep in mind Sessions rate limit #598: with that improvement client must be blocked and never be authorised. Tempesta must close connection (or respond with error) for every request from that client. After discussion we decide that we should close connection after first request. Response should be sent only for first request.
  • attacker: send requests after delay_limit elapsed. Same expectations as above. delay_limit was removed
  • JS is disabled of the client This is invalid case. JS MUST be enabled for client.
  • Legitimate client has an outdated cookie before accessing the server.

Tempesta Side:

  • All variants (3) of redirect status code: 302, 503 and any other custom code
  • User defined JS challenge template at non-default location.
  • Per-Vhost JS challenge configuration We have per-vhost tests for the Sticky directive in the sessions.test_cookies

JS Challenge code tests:

  • Client has only one cookie: sticky cookie from Tempesta
  • Client has many cookies, and sticky cookie from Tempesta can be found at any place: beginning, the middle or the end of cookies
  • Client has many cookies, some of them has parameters The Cookie header does not have parameters.
  • Client has many cookies and name of Tempesta's sticky cookies is a substring of other cookies names or parameters

Session identification:

  • Client opens a new session, which is not exist: JS challenge is performed
  • Client opens an already present session: JS challenge is skipped
  • Client opens a session which is valid but already removed from Tempesta: Full restart of JS challenge: client receives new cookie and perform a fresh JS challenge.
@vankoven vankoven added the test label Feb 22, 2018
@vankoven vankoven added this to the 0.6 KTLS milestone Feb 22, 2018
@krizhanovsky
Copy link
Contributor

#880 is duplicate for the issue, its original requirements:

Please develop a functional test for the #536 . A case for a web site with an index.html referencing non-challengable <img> resource must be checked: we must not challenge the image request, the request must be blocked by the module if it doesn't contain the cookie or contain invalid cookie and normally passed if the check was satisfied. Check the timeouts and try to wait bit less than the required delay. Please very carefully follow and test various scenarios from the algorithm described in the original issue. Think about possible protection evasion methods.

The change also affects HTTP sessions handling, so please reimplement t/unit/test_http_sticky.c as a functional test and remove the original unit test. Such kind of tests make a lot of headache in support.

@krizhanovsky krizhanovsky mentioned this issue Feb 22, 2018
Closed
@krizhanovsky krizhanovsky modified the milestones: 0.6 KTLS, 0.7 HTTP/2 Jul 15, 2018
@krizhanovsky krizhanovsky mentioned this issue Oct 6, 2018
Closed
@krizhanovsky krizhanovsky mentioned this issue Mar 21, 2020
Closed
3 tasks
@krizhanovsky
Copy link
Contributor

We have a lot of support issues for JS challenge, so the task is crucial

@krizhanovsky
Copy link
Contributor

Crucial due to #1102

@krizhanovsky krizhanovsky modified the milestones: 1.x: TBD, 1.0 - GA Jan 12, 2023
@krizhanovsky krizhanovsky modified the milestones: 1.x: TBD, 1.0 - GA Feb 6, 2023
@krizhanovsky krizhanovsky modified the milestones: 1.0 - GA, 0.8 - Beta Apr 19, 2023
@RomanBelozerov RomanBelozerov mentioned this issue Dec 7, 2023
Merged
@krizhanovsky krizhanovsky mentioned this issue Dec 18, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RomanBelozerov RomanBelozerov

@EvgeniiMekhanik EvgeniiMekhanik

Labels
crucial test
Projects
None yet
Milestone
0.8 - Beta
Development

Successfully merging a pull request may close this issue.

Add basic tests for new JS challenge behaviour tempesta-tech/tempesta-test
6 participants
@krizhanovsky @vladtcvs @vankoven @aleksostapenko @RomanBelozerov @EvgeniiMekhanik