JMeter-Driven Performance and Security Validation: A Combined Load Testing and Vulnerability Discovery Methodology for Legacy Java Services
DOI:
https://doi.org/10.63282/3050-922X.IJERET-V6I2P117Keywords:
Apache JMeter, Performance Testing, Load Testing, Security Testing, Vulnerability Discovery, Legacy Java Services, Distributed Load Generation, Fuzzing, Denial Of Service, Race Conditions, Continuous IntegrationAbstract
Apache JMeter is widely used for performance and load testing of web applications. It is less widely recognized as a vehicle for security testing, despite its capabilities for site spidering, parameter fuzzing, and stress-driven vulnerability discovery. This paper presents a combined methodology that uses JMeter for both performance validation and security vulnerability discovery on legacy Java services. The methodology arose from production work optimizing legacy product performance, in which response times were improved by approximately twenty-five percent through a combination of targeted optimization informed by JMeter measurements and concurrent identification of resource-exhaustion and input-validation vulnerabilities that the load testing surfaced. The paper covers the test plan design that supports both concerns simultaneously, the assertion patterns that distinguish performance regressions from functional failures from security incidents, the integration with continuous integration pipelines, and the analytical patterns that extract security signal from load test telemetry. The methodology is demonstrated with reference to vulnerability classes including denial-of-service-by-exhaustion, race conditions exposed under concurrency, authentication and rate-limiting weaknesses, and the input-handling failures that load testing exercises by accident. The paper closes with a discussion of the boundaries of the methodology and the role of specialized security tooling that JMeter does not replace.
References
[1] Apache Software Foundation. Apache JMeter user manual. https://jmeter.apache.org/usermanual/ https://scholar.google.com/scholar?hl=en&q=Apache JMeter user manual | https://jmeter.apache.org/usermanual/
[2] Apache Software Foundation. Apache JMeter Distributed Testing Documentation. https://scholar.google.com/scholar?hl=en&q=Apache JMeter Distributed Testing Documentation
[3] Halili, E. H. Apache JMeter: A Practical Beginner's Guide to Automated Testing and Performance Measurement for Your Websites. Packt Publishing, 2008. https://scholar.google.com/scholar?hl=en&q=H
[4] Open Web Application Security Project. OWASP Web Security Testing Guide, Version 4.2. https://scholar.google.com/scholar?hl=en&q=OWASP Web Security Testing Guide, Version 4.2
[5] Open Web Application Security Project. OWASP Top Ten Web Application Security Risks, 2021 edition. https://scholar.google.com/scholar?hl=en&q=OWASP Top Ten Web Application Security Risks, 2021 edition
[6] Open Web Application Security Project. OWASP Application Security Verification Standard, Version 4.0.3. https://scholar.google.com/scholar?hl=en&q=OWASP Application Security Verification Standard, Version 4.0.3
[7] Common Weakness Enumeration. CWE-400: Uncontrolled Resource Consumption, MITRE Corporation. https://scholar.google.com/scholar?hl=en&q=CWE-400: Uncontrolled Resource Consumption, MITRE Corporation
[8] Common Weakness Enumeration. CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization, MITRE Corporation. https://scholar.google.com/scholar?hl=en&q=CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization, MITRE Corporation
[9] Common Weakness Enumeration. CWE-307: Improper Restriction of Excessive Authentication Attempts, MITRE Corporation. https://scholar.google.com/scholar?hl=en&q=CWE-307: Improper Restriction of Excessive Authentication Attempts, MITRE Corporation
[10] Molyneaux, I. The Art of Application Performance Testing, Second Edition. O'Reilly Media, 2014. https://scholar.google.com/scholar?hl=en&q=The Art of Application Performance Testing, Second Edition
[11] Meier, J. D., Farre, C., Bansode, P., Barber, S., and Rea, D. Performance Testing Guidance for Web Applications. Microsoft Press, 2007. https://scholar.google.com/scholar?hl=en&q=D, Farre, C., Bansode, P., Barber, S., and Rea, D
[12] Goetz, B. et al. Java Concurrency in Practice. Addison-Wesley, 2006. https://scholar.google.com/scholar?hl=en&q=et al
[13] National Institute of Standards and Technology. Technical Guide to Information Security Testing and Assessment, NIST Special Publication 800-115. https://scholar.google.com/scholar?hl=en&q=Technical Guide to Information Security Testing and Assessment, NIST Special Publication 800-115
[14] National Institute of Standards and Technology. Secure Software Development Framework, NIST Special Publication 800-218. https://scholar.google.com/scholar?hl=en&q=Secure Software Development Framework, NIST Special Publication 800-218
[15] PortSwigger. Burp Suite documentation. https://portswigger.net/burp/documentation https://scholar.google.com/scholar?hl=en&q=Burp Suite documentation | https://portswigger.net/burp/documentation
[16] International Business Machines Corporation. IBM Security AppScan documentation. https://scholar.google.com/scholar?hl=en&q=IBM Security AppScan documentation
[17] SonarSource. SonarQube static analysis platform documentation. https://scholar.google.com/scholar?hl=en&q=SonarQube static analysis platform documentation
[18] Apache Software Foundation. Apache JMeter Best Practices. https://jmeter.apache.org/usermanual/best-practices.html | https://scholar.google.com/scholar?hl=en&q=Apache JMeter Best Practices | https://jmeter.apache.org/usermanual/best-practices.html
