Skip to main content

Handling CSRF Tokens in JMeter: A Comprehensive Guide


By Hamid Al-qiari - Performance Test Lead  



Handling CSRF Tokens in JMeter


What is CSRF Token

A CSRF Token is a secret, unique and unpredictable value a server-side application generates in order to protect CSRF vulnerable resources. 

 

The tokens are generated and submitted by the server-side application in a subsequent HTTP request made by the client.

 

After the request is made, the server side application compares the two tokens found in the user session and in the request. If the token is missing or does not match the value within the user session, the request is rejected, the user session terminated and the event logged as a potential CSRF attack.

When do you need  CSRF token with JMeter 

We need a CSRF token during the load test. Actually, the CSRF token is generated at run time and can be used only once, so if you use its hard-coded value in your script  then your run will fail, because that is a used token and is no longer valid for use.

How to handle  CSRF token with JMeter 

Login to a website using JMeter is a very important aspect of this load testing tool ,sometimes it is not easy if the website is CSRF protected .

 

To do this, first we need to record this login activity to get the number of calls which are necessary to log into an application.

I am going to show you how to simulate this on the Firehouse Front Desk web application .

1-Add the test script recorder on jmeter test plan


  2-Configure the proxy on Firefox browser 

 

3-Login to the app on the browser  and check the recorded requests on JMeter 

 

If we try to login using the same token ,login fails because we used the same token that was invalid this time .We need to use a valid token while passing the credentials .

 

To retrieve the token we run the login page twice .

First time using the “GET” method to retrieve a token from the body using a Regular Expression Extractor .

Regular expression extractor handles this csrfToken  and its value because each time this value is changed.

In Regular expression extractor we have to define a certain field:

Reference Name: token

Regular expression:   name=”_token” value=”(.+?)”

Template: $1$

Match no: 1

 

Second Time will use this extracted token with the Login “POST” method with the credentials.

 

Now , the important part is to add a cookie manager  .

 

 

 

 

 

 

 

Run your JMeter script :

 

Now I am able to login successfully with an extracted CSRF token .

Comments

Post a Comment

Popular posts from this blog

How to use CloudWatch with Performance Testing

By Hamid Al-qiari - Performance Test Lead   How to Use AWS CloudWatch for Performance Testing AWS CloudWatch is an observability tool by Amazon that enables monitoring the performance of applications, services & infrastructure resources deployed on AWS, as well as on hybrid and on-premises environments. When performance testing , observability tools like AWS CloudWatch can help extend our visibility and show us the server-side of application performance. This will help us complement our performance tests.  In this blog post, we will explore the insights and metrics provided when performance testing and how server-side metrics, with AWS CloudWatch, can help us improve our application’s performance. Table of Contents: Why Use AWS CloudWatch as Part of Performance Testing?  How to Use AWS CloudWatch During Your Performance Test Using the AWS CloudWatch Console Why Use AWS CloudWatch as Part of Performance Testing?  When performance testing, testers, developer...
Post a Comment
Read more

How to Debug JMeter Test Scripts

By Hamid Al-qiari - Performance Test Lead Outline:   Why is there a need for debugging in JMeter tests? How to use JMeter Debug sampler to debug performance scripts How to use JSR232 sampler to write information to the log I will use DeckOfCards API to create an example conclusion How to Debug JMeter Test Scripts Performance tests created using JMeter (or BlazeMeter )are also software. That’s why performance scripts can also contain errors that lead to bugs in the tests themselves. This blog will explore different ways that you can debug JMeter scripts, including the debug sampler, debug post-processor, and JSR223 sampler. Feel free to read along or skip to the section that interests you the most: How Can Teams Debug JMeter Test Scripts?  How to Use the JMeter Debug Sampler How to Use the JMeter Debugging Post-Processor Debugging in JMeter Using a JSR223 Sampler How Can Teams Debug JMeter Test Scripts? JMeter provides various tools for debugging performance testing scripts....
Post a Comment
Read more