Results 1 to 4 of 4
  1. #1

    Jmeter Login Authentication Issue with getting XSRF tokens


    How to get token for this,

    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"/>

    <meta content="" name="description"/>

    <meta content="" name="author"/>

    <meta name="csrf-token" content="hYxN3vmhgYvpOE0OkP1fPaMGvyBb8hcWJnzkEdT3"/>

    In Response header it is showing as,
    Response headers:
    HTTP/1.1 200 OK
    Date: Tue, 28 Jul 2015 10:05:46 GMT
    Server: Apache/2.2.29 (Amazon)
    X-Powered-By: PHP/5.4.43
    Cache-Control: no-cache
    Set-Cookie: XSRF-TOKEN=eyJpdiI6IkRTa21kTGh1OVV1cE5aQWoyV2FaeHc9PSIs InZhbHVlIjoiV2tYaWpTR2tCNHlISGNpV21qSlNUK0dEKzZBK2 FPeXA0TE16YjZ5amE2NU80a1g5SzloQk5hOHd3TlptUXJvSzJU amNQaVFSaTV0S2JHdEhsNGZQT0E9PSIsIm1hYyI6IjQxNzgzN2 FhZjI4OGQ4NjQ0ZWI2NGY1MDQ2YTE4Y2Q1OWQxNGFlZjE0NDZk YjIzMjQwMTE1OTAwNzNiYjU1MmMifQ%3D%3D; expires=Tue, 28-Jul-2015 12:05:46 GMT; path=/
    Set-Cookie: laravel_session=eyJpdiI6IkY4SnlLNTMwMTlEWHI0SDJzeX o1bHc9PSIsInZhbHVlIjoiN21nXC9LQ2U5QzllSUo3YWluQUZ6 VURFblFnN3hlZ3U1WkRJSVFaZGR6QU5XcitIb1cyeXZKWmliSD R4ck91VURjSTRVRTVEM1REZmZXY3Z3dklSbmNRPT0iLCJtYWMi OiJjZWEzOGY3MDA5YTNkYWVmZTMyNDk5MWRmODUxNWUyYmM3Zj VhZTdjYTFmNmNhZmNmOGRiNzMxNzgzOTEyNTIyIn0%3D; expires=Tue, 28-Jul-2015 12:05:46 GMT; path=/; httponly
    Content-Length: 6129
    Connection: close
    Content-Type: text/html; charset=UTF-8

    I am trying to pass values in Regular Expression Extractor as,

    Reference Name : token
    Regular Expression : name="XSRF-TOKEN" content=(.+?)
    Template :$1$

    But it is not working.

    Please help.


  2. #2
    try tweaking your regex, maybe...




  3. #3
    SQA Knight
    Join Date
    May 2006
    Playa Del Rey, California, United States
    I think you want to check the submission and see where the tokens are being used.

    I suspect seeing that a "token" occurs in the metatag and the cookie headers. I think they might be using a simple stateless csrf protection scheme where they write 1 token into the cookie, and the same token into the form (or in a way it's fetchable by the form submission). That way it'll submit 2 matching tokens, one in the header, and one in the form body when you submit.

    The <meta> tag containing the token threw me off, normally I see it as implemented as a serverside cookie to prevent tampering. But in this case, I think they might be using the token in multiple places as a checksum to prevent tampering.
    David Lai
    SDET / Consultant
    LinkedIn profile

  4. #4
    Your regular expression extractor configuration is flaky. See JMeter's documentation on Regular Expressions

    1. For extracting from response body it should be

    <meta name="csrf-token" content="(.+?)"/>
    2.For extracting from response header:

    Make sure that "Field to check" is "Response Headers"
    Use the following regex:

    In both cases use $1$ as Template

    For more information on bypassing CSRF protection in your JMeter tests see How to Load Test CSRF-Protected Web Sites guide.



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
BetaSoft Inc.
All times are GMT -8. The time now is 04:16 PM.

Copyright BetaSoft Inc.