Embedded Resource image url issue

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Embedded Resource image url issue

Vincent van Middendorp
Hi,

We've enabled 'Retrieve All Embedded Resources' for our HTTPS requests
for a performance test plan. I would like to include images (and their
size). Our images are hosted by ImgIX (optimization service). This
results in secured (signed) image tags on the website with references
like this:

https://client.imgix.net/https%3A%2F%2Ftest.client.nl%3A443%2F-%2Fmedia%2Fclient%2Fafbeeldingen%2Factiepanelen%2F20180518_hl7_le_00501-webformaat_2000px.ashx?q=20&fit=crop&crop=faces&dpr=2&auto=format&w=360&h=360&s=121a1a8adef696d82f866e5609cc50

As you can see the img url points to the actual hostname (where the
image is hosted) but it also contains an original site path
(https://test.client.nl). Also it contains a "s" parameter with an ID
to secure the url (no changes allowed).

Now the embedded resource request that Jmeter seems to make to request
the image is:

'https://client.imgix.net/https:/test.client.nl:443/-/media/client/afbeeldingen/'...
?s=121a1a8adef696d82f866e5609cc50 (shortened for readability)

which causes a 403 Forbidden.

This seems to make the imgix security check fail (url tampered with,
not same as signed url).If i copy/paste the original URL in browser it
works, if i copy/paste the decoded version in browser it doesn't.

I've tried the different out of the box HtmlParsers but they act the
same for this case. I just want the exact value as found in the HTML
source. Does anyone know if there is a way around this so these images
can be requested?

(this is on Apache JMeter 5.1.1r1855137, Windows 10)

Thanks in advance

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Embedded Resource image url issue

Felix Schumacher

Am 06.08.19 um 16:39 schrieb Vincent van Middendorp:

> Hi,
>
> We've enabled 'Retrieve All Embedded Resources' for our HTTPS requests
> for a performance test plan. I would like to include images (and their
> size). Our images are hosted by ImgIX (optimization service). This
> results in secured (signed) image tags on the website with references
> like this:
>
> https://client.imgix.net/https%3A%2F%2Ftest.client.nl%3A443%2F-%2Fmedia%2Fclient%2Fafbeeldingen%2Factiepanelen%2F20180518_hl7_le_00501-webformaat_2000px.ashx?q=20&fit=crop&crop=faces&dpr=2&auto=format&w=360&h=360&s=121a1a8adef696d82f866e5609cc50
>
> As you can see the img url points to the actual hostname (where the
> image is hosted) but it also contains an original site path
> (https://test.client.nl). Also it contains a "s" parameter with an ID
> to secure the url (no changes allowed).
>
> Now the embedded resource request that Jmeter seems to make to request
> the image is:
>
> 'https://client.imgix.net/https:/test.client.nl:443/-/media/client/afbeeldingen/'...
> ?s=121a1a8adef696d82f866e5609cc50 (shortened for readability)
>
> which causes a 403 Forbidden.
>
> This seems to make the imgix security check fail (url tampered with,
> not same as signed url).If i copy/paste the original URL in browser it
> works, if i copy/paste the decoded version in browser it doesn't.
>
> I've tried the different out of the box HtmlParsers but they act the
> same for this case. I just want the exact value as found in the HTML
> source. Does anyone know if there is a way around this so these images
> can be requested?
>
> (this is on Apache JMeter 5.1.1r1855137, Windows 10)

I tried to simulate your test by accessing
https://www.internetallee.de/~felix/test.html

In the access log I can see

ssl_access.log:88.130.179.201 - - [06/Aug/2019:19:22:13 +0200] "GET
/~felix/https%3A%2F%2Ftest.client.nl%3A443%2F-%2Fmedia%2Fclient%2Fafbeeldingen%2Factiepanelen%2F20180518_hl7_le_00501-webformaat_2000px.ashx?q=20&fit=crop&crop=faces&dpr=2&auto=format&w=360&h=360&s=121a1a8adef696d82f866e5609cc50
HTTP/1.1" 404 649 "https://www.internetallee.de/~felix/test.html"
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0" "TLSv1.2"

ssl_access.log:88.130.179.201 - - [06/Aug/2019:19:23:19 +0200] "GET
/~felix/https:%2F%2Ftest.client.nl:443%2F-%2Fmedia%2Fclient%2Fafbeeldingen%2Factiepanelen%2F20180518_hl7_le_00501-webformaat_2000px.ashx?q=20&fit=crop&crop=faces&dpr=2&auto=format&w=360&h=360&s=121a1a8adef696d82f866e5609cc50
HTTP/1.1" 404 649 "-" "Apache-HttpClient/4.5.8 (Java/1.8.0_201)" "TLSv1.2"

The first one is Firefox, the second one JMeter. It looks different to
your findings, but the ':' is decoded or not re-encoded.

Haven't looked any further into it, but I will let the page up for tests
a bit.

Felix

>
> Thanks in advance
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]