Skip to main content

Handling CSRF Tokens in JMeter: A Comprehensive Guide


By Hamid Al-qiari - Performance Test Lead  



Handling CSRF Tokens in JMeter


What is CSRF Token

A CSRF Token is a secret, unique and unpredictable value a server-side application generates in order to protect CSRF vulnerable resources. 

 

The tokens are generated and submitted by the server-side application in a subsequent HTTP request made by the client.

 

After the request is made, the server side application compares the two tokens found in the user session and in the request. If the token is missing or does not match the value within the user session, the request is rejected, the user session terminated and the event logged as a potential CSRF attack.

When do you need  CSRF token with JMeter 

We need a CSRF token during the load test. Actually, the CSRF token is generated at run time and can be used only once, so if you use its hard-coded value in your script  then your run will fail, because that is a used token and is no longer valid for use.

How to handle  CSRF token with JMeter 

Login to a website using JMeter is a very important aspect of this load testing tool ,sometimes it is not easy if the website is CSRF protected .

 

To do this, first we need to record this login activity to get the number of calls which are necessary to log into an application.

I am going to show you how to simulate this on the Firehouse Front Desk web application .

1-Add the test script recorder on jmeter test plan


  2-Configure the proxy on Firefox browser 

 

3-Login to the app on the browser  and check the recorded requests on JMeter 

 

If we try to login using the same token ,login fails because we used the same token that was invalid this time .We need to use a valid token while passing the credentials .

 

To retrieve the token we run the login page twice .

First time using the “GET” method to retrieve a token from the body using a Regular Expression Extractor .

Regular expression extractor handles this csrfToken  and its value because each time this value is changed.

In Regular expression extractor we have to define a certain field:

Reference Name: token

Regular expression:   name=”_token” value=”(.+?)”

Template: $1$

Match no: 1

 

Second Time will use this extracted token with the Login “POST” method with the credentials.

 

Now , the important part is to add a cookie manager  .

 

 

 

 

 

 

 

Run your JMeter script :

 

Now I am able to login successfully with an extracted CSRF token .

Comments

Post a Comment

Popular posts from this blog

How to Debug JMeter Test Scripts

By Hamid Al-qiari - Performance Test Lead Outline:   Why is there a need for debugging in JMeter tests? How to use JMeter Debug sampler to debug performance scripts How to use JSR232 sampler to write information to the log I will use DeckOfCards API to create an example conclusion How to Debug JMeter Test Scripts Performance tests created using JMeter (or BlazeMeter )are also software. That’s why performance scripts can also contain errors that lead to bugs in the tests themselves. This blog will explore different ways that you can debug JMeter scripts, including the debug sampler, debug post-processor, and JSR223 sampler. Feel free to read along or skip to the section that interests you the most: How Can Teams Debug JMeter Test Scripts?  How to Use the JMeter Debug Sampler How to Use the JMeter Debugging Post-Processor Debugging in JMeter Using a JSR223 Sampler How Can Teams Debug JMeter Test Scripts? JMeter provides various tools for debugging performance testing scripts....
Post a Comment
Read more

How to Integrate a JMeter Load Test Into Bamboo CI Server

  By Hamid Al-qiari - Performance Test Lead  How to Integrate a JMeter Load Test Into Bamboo CI Server   We all know that periodic load tests are vital if you want to avoid unpleasant surprises and regressions. Therefore, in this fast-paced agile age, it’s becoming increasingly important to integrate load testing into your continuous integration process. Including load testing in your application build process will allow you to:  Catch performance regressions early Understand the impact of adding new features on your application’s performance Catch performance issues when versions of the underlying dependencies change Deploy with confidence This blog post will explore this integration process further with a Bamboo continuous integration tutorial, where we will show you how to integrate load tests from Apache JMeter into Atlassian's Bamboo. What is Atlassian Bamboo? Atlassian Bamboo is one of the most popular continuous integration, release and build servers around...
Post a Comment
Read more