From the sources of FuzzDB, we will prepare two files cmdi.csv for the data input of profile update. In the JMeter script, CSV Data Set Config will be added with the following configuration:
- Filename: cmdi.csv
- Variable Names (comma-delimited): cmdi
This screenshot shows the JMeter script with CSV Data Set Config:
CSV Data Set Config for Command Injection in JMeter
Then, we can use the ${cmdi} variable in HTTP Request - Profile Update. For example, we replace the value of firstName and lastName with ${cmdi} to do command injection testing:
HTTP Request for Command Injection Testing in JMeter
To do the loop and read all the variables in cmdi.csv, we still need to change the Loop Count settings in Thread Group. For example, we will do the loop 10 times with each value in the cmdi.csv:
- Loop Count: 10