How to Build Your Demo Environment (App Sec)
Use Har-to-k6 with k6 to simulate traffic from a VM [GENERAL]
How to Build Your Demo Environment (App Sec)
Application Infrastructure for Acme Corp
- Main Corporate Site www.acmecorp.work
- Use case: Demonstrate generic stuff etc.
- Hosting: VM/Container (git cloned template from github)
- Main API swaggerapi.acmecorp.work
- Use case: Demonstrate API Shield
- Hosting: Swagger API hosted on VM/Container
- Payment Site pay.acmecorp.work
- Use case: Demonstrate Page Shield
- Hosting: Pages
- Login Interface login.acmecorp.work
- Use case: Demonstrate Turnstile
- Hosting: Workers
- AI Chatbot chat.acmecorp.work
- Use case: Demonstrate Firewall for AI/AI Gateway/Workers AI
- Hosting: Workers (example llm chat: github)
- WAF testing portal: DAMN VULNERABLE WEB APPLICATION
- Use case: Demonstrate WAF rules:
- Hosting: VM/Container (git cloned template from github)
Generate Traffic
loader.io [GENERAL]
Use Har-to-k6 with k6 to simulate traffic from a VM [GENERAL]
Jmeter to simulate traffic from a VM [API Shield]
- Guide here
Run a pthon script below from a VM [API Shield]
Run Selinium script from a VM [Page Shield]
There are many traffic generation tools available but I will be using k6 to generate traffic in this guide.
Using a HAR File
- Install necessary tools (har-to-k6 and, k6)
npm install -g har-to-k6 #I installed har-to-k6 using [npm](https://radixweb.com/blog/installing-npm-and-nodejs-on-windows-and-mac)
brew install k6 #I also installed k6 with [homebrew](https://brew.sh/)
Other ways you can install har-to-k6 and k6
- Generate the HAR file to load e.g. I will load bot.clairelfh.site in my browser and save the contents to a HAR File
- With the HAR file saved as bot.clairelfh.site.har on my Downloads folder, I go to my downloads folder and run har-to-k6 to convert the HAR into a JS file which can be used by k6 to run the headless browser
❯ cd downloads
❯ har-to-k6 bot.clairelfh.site.har -o bot.js`
Converting 'bot.clairelfh.site.har'`
Wrote k6 script to 'bot.js'`
- Now with the JS script ready, you can choose how to run the headless browser using k6. See the options here
k6 run --vus 10 --duration 30s bot.js
Once you run the command above, you can see the traffic getting sent to your site.
Do note that this triggers a low bot score because it is using a headless chromium browser so do ensure you are allowing these requests if you want it to generate traffic without getting blocked e.g. to test caching.
Using a Postman Script
You may not always wish to generate traffic from a HAR file and may want more flexibility in editing the HTTP Method, Headers and Payload.
In this case, you may wish to use Postman to edit your requests and then use postman-to-k6 to convert this into JS file for k6 to consume
- Install necessary tools (postman-to-k6 and, k6)
npm install -D @apideck/postman-to-k6 #I installed with npm
brew install k6 #I also installed k6 with homebrew
Open Postman and import or create your collection to make edits
Once you are happy with your collection, you can save it and export the collection as a json file. My postman file is sending some traffic to waf.clairelfh.site and the sample is here
- With the Postman collection file saved as WAF_Test.postman_collection.json on my Downloads folder, I go to my downloads folder and run postman-to-k6 to convert the collection into a JS file which can be used by k6 to run the headless browser
cd downloads
❯ postman-to-k6 WAF_Test.postman_collection.json -o waf_penetration.js
Converting 'WAF_Test.postman_collection.json'
Wrote k6 script to 'waf_penetration.js'
- Now with the JS script ready, you can choose how to run the headless browser using k6. See the options here
k6 run --vus 10 --duration 30s waf_penetration.js
Once you run the command above, you can see the traffic getting sent to your site.
Do note that this triggers a low bot score because it is using a headless chromium browser so do ensure you are allowing these requests if you want it to generate traffic without getting blocked e.g. to test caching.