How (in)secure is your proxy password in LoadRunner 9.0
January 16th, 2009
Are you using proxy server to access your application? Do you store proxy username/password in VuGen Run-Time settings?
If yes, then be careful. LR stores your password as plain text on the disk!
Instead of Run-Time settings you can use web_set_proxy() function from API and encrypt your password there.
I wouldn’t worry too much that someone with access to your LoadRunner script can see a plaintext proxy password in one of the script files.
An “encrypted” password in your script very quickly becomes a plaintext password if you use lr_decrypt().
// Save my password to a parameter
lr_save_string(”49a3259a32e56d82a6b296ffd37e2a7e33fb0ef21b7c”, “Password”);
// Set proxy credentials.
// These will be used for any subsequent requests.
web_set_user(”stuart”, “{Password}”, “proxy.example.com:8080″);
web_set_proxy(”proxy.example.com:8080″);
// Print password to replay log.
lr_output_message(”Password: %s”, lr_decrypt(lr_eval_string(”{Password}”)));
Cheers,
Stuart.
Hi Stuart
I think that the best (most secure) idea would be to use MD5 for example. So even if someone access your script, he can’t decrypt your password.
Waldemar