Knowing your Security with Stress Testing
In the past, we’ve had plenty of discussion on how performance effects user experience, and how that relates to conversions. But, can a server’s performance effect it’s security?
During a previous test, we had a customer whose site included a contact form. The user would complete the contact form in their browser, and the application server would convert this response into an e-mail and send it through a mail server. The contact form, coupled with the use of a CAPTCHA, helps to cut back on undesirable messages. During our testing, we discovered that the mail server was becoming overloaded (at only a small percentage of the expected load, due to a mis-tuned configuration), causing the mail server to refuse delivery of the message. When the error was propagated back to the user, the text fully indicated (among other things), the final destination e-mail address the contact form had attempted to hide.
Don’t get me wrong, I’m not suggesting that the server should have hidden the fact that an error occurred. Systems which attempt to hide any evidence of an error are very frustrating to test, as this may hide the error from the testing tool as well, leading to a failing system which appears to be production ready. However, this case shows an error that gives away too much information.
Every system has a breaking point, be it bandwidth, CPU cycles, or another limited resource. Once the demand exceeds the system’s limit, something has to give. While we’re proud that Load Tester is capable of simulating real world demand, it can also be used to create excessive amounts of demand in a stress test, and allow you to see ways in which your server can reach its limit. When that limit is reached, could your server compromise your security?
Happy Testing!
-Frank
Engineer at Web Performance