线上第七期_接口测试_20181215

接口测试介绍

接口测试协议

  • ip
  • tcp
  • udp
  • http

接口分析

nc www.baidu.com 80 < /tmp/1.req > /tmp/1.html

sudo tcpdump port 80 -w /tmp/tcpdump.log -vvv

curl 'http://jenkins.testing-studio.com:8081/j_acegi_security_check' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'Origin: http://jenkins.testing-studio.com:8081' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: http://jenkins.testing-studio.com:8081/login?from=%2F' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7' -H 'Cookie: jenkins-timestamper-offset=-28800000; _ga=GA1.2.2053923289.1527161186; JSESSIONID=8DD1E8F44A52C7F8BE55BB131DBB83FC' --data 'j_username=hogwarts&j_password=123&from=%2F&Submit=%E7%99%BB%E5%BD%95'   2>&1  -vvv 

curl 'https://www.baidu.com/s?ie=utf-8&mod=1&isbd=1&isid=d022cf0c0004d538&ie=utf-8&f=8&rsv_bp=1&rsv_idx=1&tn=baidu&wd=%E9%9C%8D%E6%A0%BC%E6%B2%83%E5%85%B9%E6%B5%8B%E8%AF%95%E5%AD%A6%E9%99%A2&oq=%25E9%259C%258D%25E6%25A0%25BC%25E6%25B2%2583%25E5%2585%25B9%25E6%25B5%258B%25E8%25AF%2595%25E5%25AD%25A6%25E9%2599%25A2&rsv_pq=d022cf0c0004d538&rsv_t=173aiXL58DFv3fLj2hpRWvueJyDgwfCEHtKaSxyV40Ybi4cRBCg%2Bjc0zli4&rqlang=cn&rsv_enter=0&rsv_sug=1&bs=%E9%9C%8D%E6%A0%BC%E6%B2%83%E5%85%B9%E6%B5%8B%E8%AF%95%E5%AD%A6%E9%99%A2&rsv_sid=1444_21105_28131_27750_27244_27508&_ss=1&clist=aac14bb5c61a9694%09aac14bb5c61a9694%09eb978cf5bea5d6b7&hsug=%E9%9C%8D%E6%A0%BC%E6%B2%83%E5%85%B9%E6%B5%8B%E8%AF%95%E5%AD%A6%E9%99%A2&f4s=1&csor=8&_cr1=45693' -H 'Pragma: no-cache' -H 'is_xhr: 1' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36' -H 'is_pbs: %E9%9C%8D%E6%A0%BC%E6%B2%83%E5%85%B9%E6%B5%8B%E8%AF%95%E5%AD%A6%E9%99%A2' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: PSTM=1510600412; BIDUPSID=85614512151C6A21725938906A7419A2; MCITY=-131%3A; BD_UPN=123253; BAIDUID=FB108BEDEF2809244BDCF4D3E2DAFBCE:FG=1; BDORZ=B490B5EBF6F3CD402E515D22BCDA1598; H_PS_PSSID=1444_21105_28131_27750_27244_27508; delPer=0; BD_CK_SAM=1; PSINO=2; H_PS_645EC=173aiXL58DFv3fLj2hpRWvueJyDgwfCEHtKaSxyV40Ybi4cRBCg%2Bjc0zli4; BDSVRTM=137; WWW_ST=1544854591461' -H 'Connection: keep-alive' -H 'Referer: https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&rsv_idx=1&tn=baidu&wd=%E9%9C%8D%E6%A0%BC%E6%B2%83%E5%85%B9%E6%B5%8B%E8%AF%95%E5%AD%A6%E9%99%A2&oq=%25E9%259C%258D%25E6%25A0%25BC%25E6%25B2%2583%25E5%2585%25B9%25E6%25B5%258B%25E8%25AF%2595%25E5%25AD%25A6%25E9%2599%25A2&rsv_pq=d022cf0c0004d538&rsv_t=173aiXL58DFv3fLj2hpRWvueJyDgwfCEHtKaSxyV40Ybi4cRBCg%2Bjc0zli4&rqlang=cn&rsv_enter=0&rsv_sug=1' -H 'is_referer: https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&rsv_idx=1&tn=baidu&wd=%E9%9C%8D%E6%A0%BC%E6%B2%83%E5%85%B9%E6%B5%8B%E8%AF%95%E5%AD%A6%E9%99%A2&oq=%25E9%259C%258D%25E6%25A0%25BC%25E6%25B2%2583%25E5%2585%25B9%25E6%25B5%258B%25E8%25AF%2595%25E5%25AD%25A6%25E9%2599%25A2&rsv_pq=cf01942c00061154&rsv_t=a882pspOgByIXAFuXsxcxohbXNK7dBMojQXKp3rWT%2BO%2Fmwo2hB8psfpo%2FfU&rqlang=cn&rsv_enter=0&rsv_sug=1&bs=%E9%9C%8D%E6%A0%BC%E6%B2%83%E5%85%B9%E6%B5%8B%E8%AF%95%E5%AD%A6%E9%99%A2' --compressed

http://shell.testing-studio.com:8000/

证书


安装证书:https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/

代理工具分析

  • burp
  • charles

抓包

  • 选择6.0及以下的android版本
  • Android设置代理
  • 访问chls.pro/ssl去安装证书
  • 抓包配置完成

接口数据拦截与篡改

拦截请求

拦截响应,在返回结果中注入代码或者修改内容,比如注入js

<script>alert(7777)</script>

修改中文内容

修改Content-Type,增加UTF-8编码支持

Android端原生app的数据拦截与修改

["SZ300152","科融环境",3.16,10.1]
#修改后
["SZ300152","科融环境",333.16,10.1]

作业1

  • 手工拼装http协议,请求百度,请求一个中文搜索词 “霍格沃兹测试学院”
  • 发起对百度新闻的http请求,请求服务器返回一张首页上的图片
  • 给百度发起请求,修改User Agent为自己的名字,发请求给百度

把以上几个请求的命令贴到回复里

作业2

  • 访问百度首页,把百度首页的logo图改成testerhome的logo
  • 发起一个“霍格沃兹测试学院”的搜索,然后拦截请求,修改为“格沃兹测试学院第七期”,然后把响应的标题修改为“霍格沃兹测试学院第七期”

修改成功后,把结果截图回帖

作业3

修改雪球行情页的板块里面的银行,把它改成自己的名字,数字改成测试数据,截图回复

下节课预告

  • Java RestAssured
  • Python Requests
  • 高级断言
  • 接口解密
  • Allure
关闭