Software QA: Stress and Penetration Testing on Django REST
Have you ever wondered whether your Django application is able to handle extreme cases of usage such as many users concurrently trying to access a website at the same time? Or are you wondering too whether your Django application is vulnerable to network-security attack? In software QA, there are 2 concept that might be the answer for our questions above. So let’s talk about it!
First of all lets talk about testing in software QA. Testing in software development is an activities that conducted by developer to validate the output of the program so that it met the expectation of certain condition. By doing testing, we can achieve many benefits such as easier refactoring, less bugs on our program and easier version upgrades.
Usually as developer, we do the test by using automated testing where we wrote piece of code that will make sure the other piece of code works correctly according to our expectation. The automated testing we do can be split into some categories such as unit testing, system testing, integration testing, etc. Now, we’re going to talk about test that verify our application security and performance, that is stress testing and penetration testing.
Stress Testing
Stress testing is one of performance testing that determines our application stability and reliability. Stress testing will test whether our application is able to handle maximum or over maximum requests and job over time. It also help us to know at what point our application system breaks down and at what point our application system still functioning normally.
By knowing those parameters, we can improve our current application performance so that it will increase the maximum job that it can be taken. We also can avoid undesired situation on production, such as the application is inaccessible when there are 1000 users concurrently access our application. Of course if our apps are inaccessible, our stakeholder or client will suffer from loses because their users cannot access the app.
Next, we’ll talk about stress testing that we conducted in our PPL Fasilkom UI 2021 project, specifically Django REST stress testing using locust.
Stress Testing on Django REST
locust is a really helpful python GUI based testing tool that can be used to stress test any API. For the documentation, you can read it at https://docs.locust.io/en/stable/. To do the stress testing, first thing first, we need to install the tool first by executing this command on our environment:
pip install locustAfter that we can start creating a new file called locustfile.py at one of django app root directory. Here’s the example of our locustfile.py location.
In locustfile.py, we can start writing some piece of code that will test the desired API endpoints. First of all we need to import HttpUser from locust and task. Second, we need to create a new python class that extends the HttpUser class that we imported before. After that we create a new function, called on_start inside the class that we made. The purpose of this function is to do what you call set up condition before executing each task that we will defined next. Next, we create a new test function that uses task as decorator above the declaration of the new test function. In this new test function, we write a code that will call the desired endpoints. Here’s the example of our locustfile.py:
Now, we’re done writing the automatic testing code. Next we will try to stress test the API. First thing first, we need to execute the locust first by executing this command on our app directory that contains locustfile.py:
locustAfter that, if we open the localhost:8089, we will get this screen:
Now we input the host or the API, total of users, and spawn rate that we desired to test. In our Django project, we tried to swarm it with 200 users with 200 spawn rate. We will stress test it for 30s to see the performance of our application.
After 30s, we get this result from the stress test. It shown that there are about 145 users that failed to login at the same time, meanwhile 55 others successfully obtained their token and access their data.
If we check the cause of the 145 user failure, we found that the failure was caused by the Django project it self reached its maximum connection at one time. To fix this issue, we can try to implement load balancing and deploying the API into different host so that all the users can access the endpoint without fail.
Penetration Testing
Penetration testing is one of security testing to check whether one application is vulnerable to cyber attack such as hacking etc. For example, a data can be changed anonymously by anyone that has not access to the application is also considered as security flaw. The authentication system should be added into the system to prevent unwanted data change by anonymous person.
Another example is there are a attack that can make a application looks hacked by sending a JavaScript code into the form so that when the data is called by the users, it executes the JavaScript code and it says that “You’re hacked”. We can avoid this attack by using CSRF on our application. On Django, there’s also mechanism that will parse the JavaScript code as normal string so that it prevents executing JavaScript line on the client side.
Penetration Testing on Django REST
From Django itself, there’s a checking command that provided by Django dev to help the developer who uses Django to create an app. We can try to execute:
py manage.py check --deployThis command will check all possible security problem that can be found once our application deployed for production. We need to solve all this warnings first before we publish our app into the users. Here’s an example of our PPL Fasilkom UI 2021 project penetration check.
Conclusions
From the experience and the examples that we talked above, personally i think that every software developer also should do the stress test and penetration test. In real life case, stress test can help us to improve our application performance so that it will make sure the users can access it anytime anywhere and even in some extreme condition. Meanwhile penetration test can help us to minimize possible cyber attack that will happen at our application. It will make users data that stored inside the app more safe and restrict unauthorized users.
