I have to develop a security testing framework to make sure all output in our application is encoded.
I have many post & get http requests
Each request may have 1 or many parameters
What I wanted to do with JMeter:
I need to test each parameter individualy by changing the value to a string. So if I have 2 requests, 5 parameters each I will have to run 5 times. In addition I will have an assertion point to validate response data.
Some ideas I had was to record all the http requests.From the JMX file create a spreadsheet with request details, parameter & value. Go through the list and modify each value to my string value CANARY123!@#$%^&(. Then verify that the response data does not contain CANARY123!@#$%^&( and that in fact it came back encoded. Run test for each data row.
also thought these might be useful: counters, reg expression, user variables...
Should I use JMeter for this task? If so, how? Should I use something like Burp Suite?
I'd recommend using a security tool which specialises in this sort of thing - they will check for more than just encoding. Burp is very good, but the free version doesnt include automated scanning.
I'd recommend also looking at OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
I know a lot of people/companies using ZAP as an automated part of CI: theres some more info about this here: http://code.google.com/p/zaproxy/wiki/SecRegTests
Simon (ZAP Project Lead)